Hi everybody,
I also have this kind of alerts in messages.log:
...
...
...
uricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; app-layer-event:dnp3.flooded; classtype:protocol-command-
decode; sid:2270000; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 7
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small"; app-layer-event:dnp3.len_too_small; classtype:protocol-command-
decode; sid:2270001; rev:3;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 13
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC"; app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decod
e; sid:2270002; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 17
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC"; app-layer-event:dnp3.bad_transport_crc; classtype:protocol-com
mand-decode; sid:2270003; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 21
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 25
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 2
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 4
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 6
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 8
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Function code"; app-layer-event:modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 10
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Value"; app-layer-event:modbus.invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 12
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 14
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 16
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 18
...
...
...
myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
Jul 13 11:28:28 myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
Jul 13 11:28:28 myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.tcpraw.png' is checked but not set. Checked in 2035477 and 0 other sigs
Jul 13 11:28:28 myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.telnet.busybox' is checked but not set. Checked in 2023019 and 2 other sigs
...
...
...
Is there anything I can do to remove them ?
I tried to find the Surricata rules that are responsible for them to uncheck them but I couldn’t find them.
Does anyone have an idea please ?
My Ipfire:
| IPFire version | IPFire 2.27 (x86_64) - core168 |
|---|---|
| Pakfire version | 2.27-x86_64 |
| Kernel version | Linux 5.15.35-ipfire #1 SMP Tue Apr 26 10:56:57 GMT 2022 x86_64 Intel(R) Atom™ CPU C3758 @ 2.20GHz GenuineIntel GNU/Linux |
Many thanks