Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suricata outputs [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] errors #34

Closed
henridf opened this issue Nov 20, 2020 · 4 comments · Fixed by #47
Closed

Suricata outputs [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] errors #34

henridf opened this issue Nov 20, 2020 · 4 comments · Fixed by #47
Assignees
@henridf
Labels
bug Something isn't working

Comments

@henridf
Copy link
Contributor

henridf commented Nov 20, 2020

Suricata currently outputs errors about protocol modbus being disabled. Logs are still processed and output ok, but we should fix the configuration so it doesn't.

0/11/2020 -- 18:46:01 - <Notice> - This is Suricata version 5.0.3 RELEASE running in USER mode
20/11/2020 -- 18:46:01 - <Info> - CPUs/cores online: 8
20/11/2020 -- 18:46:01 - <Info> - No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
20/11/2020 -- 18:46:01 - <Info> - eve-log output device (regular) initialized: eve.json
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected";        app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 123
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small";        app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 124
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC";        app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 125
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC";        app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 126
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object";        app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 127
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 224
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 225
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 226
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 227
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Function code"; app-layer-event:modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 228
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Value"; app-layer-event:modbus.invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 229
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 230
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 231
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
20/11/2020 -- 18:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)" from file /Users/henridf/work/brim/zq/bin/suricata-v5.0.3-brim13/var/lib/suricata/rules/suricata.rules at line 232
20/11/2020 -- 18:46:02 - <Info> - 1 rule files processed. 21336 rules successfully loaded, 14 rules failed
20/11/2020 -- 18:46:02 - <Info> - Threshold config parsed: 0 rule(s) found
20/11/2020 -- 18:46:02 - <Info> - 21339 signatures processed. 1453 are IP-only rules, 4007 are inspecting packet payload, 15650 inspect application layer, 103 are decoder event only
20/11/2020 -- 18:46:09 - <Notice> - all 1 packet processing threads, 2 management threads initialized, engine started.
20/11/2020 -- 18:46:09 - <Info> - Starting file run for -
20/11/2020 -- 18:46:09 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
20/11/2020 -- 18:46:09 - <Info> - pcap file - end of file reached (pcap err code 0)
20/11/2020 -- 18:46:09 - <Notice> - Signal Received.  Stopping engine.
20/11/2020 -- 18:46:09 - <Info> - time elapsed 0.056s
20/11/2020 -- 18:46:09 - <Notice> - Pcap-file module read 1 files, 2000 packets, 705670 bytes
20/11/2020 -- 18:46:09 - <Info> - Alerts: 0
20/11/2020 -- 18:46:09 - <Info> - cleaning up signature grouping structure... complete
@henridf henridf self-assigned this Nov 20, 2020
@henridf henridf added the bug Something isn't working label Nov 20, 2020
@philrz
Copy link
Contributor

philrz commented Nov 20, 2020

Same for the dnp3 ones?

@henridf
Copy link
Contributor Author

henridf commented Nov 26, 2020

@philrz yes same for the dnp3 ones.

@henridf
Copy link
Contributor Author

henridf commented Nov 26, 2020

This only occurs after suricataupdater has run (which is why I only noticed this recently).

@henridf henridf mentioned this issue Nov 26, 2020
Merged
@philrz
Copy link
Contributor

philrz commented Nov 29, 2020

Verified with the suricata-v5.0.3-brim25 artifact on macOS.

Here's an example of all the excess output as it looked in suricata-v5.0.3-brim21 before this fix.

$ ./suricataupdater 
29/11/2020 -- 10:33:38 - <Info> -- Loading /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/update.yaml
29/11/2020 -- 10:33:39 - <Info> -- Found Suricata version 5.0.3 at /Users/phil/work/build-suricata-34/suricata/bin/suricata.
29/11/2020 -- 10:33:39 - <Info> -- Loading /Users/phil/work/build-suricata-34/suricata/brim-conf.yaml
29/11/2020 -- 10:33:39 - <Info> -- No sources configured, will use Emerging Threats Open
29/11/2020 -- 10:33:39 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.md5.
29/11/2020 -- 10:33:39 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
 100% - 2816667/2816667               
29/11/2020 -- 10:33:40 - <Info> -- Done.
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/app-layer-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/decoder-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/dhcp-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/dnp3-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/dns-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/files.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/http-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/ipsec-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/kerberos-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/modbus-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/nfs-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/ntp-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/smb-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/smtp-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/stream-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata/share/suricata/rules/tls-events.rules
29/11/2020 -- 10:33:40 - <Info> -- Ignoring file rules/emerging-deleted.rules
29/11/2020 -- 10:33:41 - <Info> -- Loaded 28569 rules.
29/11/2020 -- 10:33:41 - <Info> -- Disabled 0 rules.
29/11/2020 -- 10:33:41 - <Info> -- Enabled 0 rules.
29/11/2020 -- 10:33:41 - <Info> -- Modified 0 rules.
29/11/2020 -- 10:33:41 - <Info> -- Dropped 0 rules.
29/11/2020 -- 10:33:41 - <Info> -- Enabled 145 rules for flowbit dependencies.
29/11/2020 -- 10:33:41 - <Info> -- Backing up current rules.
29/11/2020 -- 10:33:43 - <Info> -- Writing rules to /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules: total: 28569; enabled: 21200; added: 19; removed 0; modified: 1510
29/11/2020 -- 10:33:44 - <Info> -- Writing /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/classification.config
29/11/2020 -- 10:33:44 - <Info> -- Skipping test, disabled by configuration.
29/11/2020 -- 10:33:44 - <Info> -- Done.
10:33:44-phil@PhilMac:~/work/build-suricata-34/suricata$ ls
bin		etc		lib		suricatarunner	var
brim-conf.yaml	include		share		suricataupdater

$ cat ~/pcap/hello.pcapng | ./suricatarunner 
29/11/2020 -- 10:33:56 - <Notice> - This is Suricata version 5.0.3 RELEASE running in USER mode
29/11/2020 -- 10:33:56 - <Info> - CPUs/cores online: 12
29/11/2020 -- 10:33:57 - <Info> - No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
29/11/2020 -- 10:33:57 - <Info> - eve-log output device (regular) initialized: eve.json
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected";        app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 123
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small";        app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 124
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC";        app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 125
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC";        app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 126
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object";        app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 127
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 224
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 225
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 226
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 227
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Function code"; app-layer-event:modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 228
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Value"; app-layer-event:modbus.invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 229
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 230
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 231
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
29/11/2020 -- 10:33:57 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)" from file /Users/phil/work/build-suricata-34/suricata/var/lib/suricata/rules/suricata.rules at line 232
29/11/2020 -- 10:33:57 - <Info> - 1 rule files processed. 21186 rules successfully loaded, 14 rules failed
29/11/2020 -- 10:33:57 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/Users/phil/work/build-suricata-34/suricata/share/suricata/threshold.config": No such file or directory
29/11/2020 -- 10:33:57 - <Info> - 21189 signatures processed. 1534 are IP-only rules, 3808 are inspecting packet payload, 15618 inspect application layer, 103 are decoder event only
29/11/2020 -- 10:34:02 - <Notice> - all 1 packet processing threads, 2 management threads initialized, engine started.
29/11/2020 -- 10:34:02 - <Info> - Starting file run for -
29/11/2020 -- 10:34:02 - <Info> - pcap file - end of file reached (pcap err code 0)
29/11/2020 -- 10:34:02 - <Notice> - Signal Received.  Stopping engine.
29/11/2020 -- 10:34:02 - <Info> - time elapsed 0.021s
29/11/2020 -- 10:34:02 - <Notice> - Pcap-file module read 1 files, 27 packets, 10916 bytes
29/11/2020 -- 10:34:02 - <Info> - Alerts: 0
29/11/2020 -- 10:34:02 - <Info> - cleaning up signature grouping structure... complete

Now here's the same operations showing reduced output in suricata-v5.0.3-brim25.

$ ./suricataupdater 
29/11/2020 -- 10:35:05 - <Info> -- Loading /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/var/lib/suricata/update.yaml
29/11/2020 -- 10:35:05 - <Info> -- Found Suricata version 5.0.3 at /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/bin/suricata.
29/11/2020 -- 10:35:05 - <Info> -- Loading /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/brim-conf.yaml
29/11/2020 -- 10:35:05 - <Info> -- Disabling rules for protocol modbus
29/11/2020 -- 10:35:05 - <Info> -- Disabling rules for protocol dnp3
29/11/2020 -- 10:35:05 - <Info> -- Disabling rules for protocol enip
29/11/2020 -- 10:35:05 - <Info> -- No sources configured, will use Emerging Threats Open
29/11/2020 -- 10:35:05 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.md5.
29/11/2020 -- 10:35:06 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
 100% - 2816667/2816667               
29/11/2020 -- 10:35:06 - <Info> -- Done.
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/app-layer-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/decoder-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/dhcp-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/dnp3-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/dns-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/files.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/http-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/ipsec-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/kerberos-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/modbus-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/nfs-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/ntp-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/smb-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/smtp-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/stream-events.rules
29/11/2020 -- 10:35:06 - <Info> -- Loading distribution rule file /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/share/suricata/rules/tls-events.rules
29/11/2020 -- 10:35:07 - <Info> -- Ignoring file rules/emerging-deleted.rules
29/11/2020 -- 10:35:08 - <Info> -- Loaded 28569 rules.
29/11/2020 -- 10:35:08 - <Info> -- Disabled 14 rules.
29/11/2020 -- 10:35:08 - <Info> -- Enabled 0 rules.
29/11/2020 -- 10:35:08 - <Info> -- Modified 0 rules.
29/11/2020 -- 10:35:08 - <Info> -- Dropped 0 rules.
29/11/2020 -- 10:35:08 - <Info> -- Enabled 145 rules for flowbit dependencies.
29/11/2020 -- 10:35:08 - <Info> -- Backing up current rules.
29/11/2020 -- 10:35:10 - <Info> -- Writing rules to /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/var/lib/suricata/rules/suricata.rules: total: 28569; enabled: 21186; added: 19; removed 0; modified: 1496
29/11/2020 -- 10:35:11 - <Info> -- Writing /Users/phil/work/build-suricata-34/suricata-v5.0.3-brim25/var/lib/suricata/rules/classification.config
29/11/2020 -- 10:35:11 - <Info> -- Skipping test, disabled by configuration.
29/11/2020 -- 10:35:11 - <Info> -- Done.

$ cat ~/pcap/hello.pcapng | ./suricatarunner
29/11/2020 -- 10:35:12 - <Notice> - This is Suricata version 5.0.3 RELEASE running in USER mode
29/11/2020 -- 10:35:12 - <Info> - CPUs/cores online: 12
29/11/2020 -- 10:35:12 - <Info> - No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
29/11/2020 -- 10:35:12 - <Info> - eve-log output device (regular) initialized: eve.json
29/11/2020 -- 10:35:13 - <Info> - 1 rule files processed. 21186 rules successfully loaded, 0 rules failed
29/11/2020 -- 10:35:13 - <Info> - Threshold config parsed: 0 rule(s) found
29/11/2020 -- 10:35:13 - <Info> - 21189 signatures processed. 1534 are IP-only rules, 3808 are inspecting packet payload, 15618 inspect application layer, 103 are decoder event only
29/11/2020 -- 10:35:18 - <Notice> - all 1 packet processing threads, 2 management threads initialized, engine started.
29/11/2020 -- 10:35:18 - <Info> - Starting file run for -
29/11/2020 -- 10:35:18 - <Info> - pcap file - end of file reached (pcap err code 0)
29/11/2020 -- 10:35:18 - <Notice> - Signal Received.  Stopping engine.
29/11/2020 -- 10:35:18 - <Info> - time elapsed 0.021s
29/11/2020 -- 10:35:19 - <Notice> - Pcap-file module read 1 files, 27 packets, 10916 bytes
29/11/2020 -- 10:35:19 - <Info> - Alerts: 0
29/11/2020 -- 10:35:19 - <Info> - cleaning up signature grouping structure... complete

Thanks @henridf!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@henridf henridf

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix invalid signature errors brimdata/build-suricata
2 participants
@henridf @philrz