I was wondering if anyone have an issue with updates of IPS rule set? Regularly it should be on a daily bases, but sometimes I have situation that several days has not been updated.
I have tried manually to update it with suricata-update and I’m getting strange errors on the terminal like
31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 92
31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "krb5" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.krb5.detection-enabled
31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak encryption parameters"; flow:to_client; app-layer-event:krb5.weak_encryption; classtype:protocol-command-decode; sid:2226001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 1157
Anyone similar issues or advice how to handle the issue?
Thank you @mrmarkuz I have missed that one, good to know.
The log shows the following errors
Apr 3 08:19:53 mail systemd: Reloaded Suricata Intrusion Detection Service.
Apr 3 08:19:53 mail esmith::event[21698]: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply SUCCESS [7.512855]
Apr 3 08:19:53 mail esmith::event[21698]: Event: nethserver-pulledpork-save SUCCESS
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Troja$
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win3$
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 27 other sigs
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 7 other si$
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2018087 and 9 other sigs
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
Apr 3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
Apr 3 08:19:58 mail suricata: 3/4/2022 -- 08:19:58 - <Notice> - rule reload complete