Issue with IPS rule set update?

miroj · March 31, 2022, 6:41am

**NethServer Version: 7.9, fully updated
**Module: IPS

I was wondering if anyone have an issue with updates of IPS rule set? Regularly it should be on a daily bases, but sometimes I have situation that several days has not been updated.

I have tried manually to update it with suricata-update and I’m getting strange errors on the terminal like

31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled

31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 92

31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "krb5" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.krb5.detection-enabled

31/3/2022 -- 06:59:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert krb5 any any -> any any (msg:"SURICATA Kerberos 5 weak encryption parameters"; flow:to_client; app-layer-event:krb5.weak_encryption; classtype:protocol-command-decode; sid:2226001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 1157

Anyone similar issues or advice how to handle the issue?

mrmarkuz · April 1, 2022, 5:49pm

AFAICS suricata-update is not used in NethServer. Please try following command and check the messages log:

miroj · April 3, 2022, 6:29am

Thank you @mrmarkuz I have missed that one, good to know.

The log shows the following errors

Apr  3 08:19:53 mail systemd: Reloaded Suricata Intrusion Detection Service.
Apr  3 08:19:53 mail esmith::event[21698]: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply SUCCESS [7.512855]
Apr  3 08:19:53 mail esmith::event[21698]: Event: nethserver-pulledpork-save SUCCESS
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Troja$
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win3$
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 27 other sigs
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 7 other si$
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2018087 and 9 other sigs
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
Apr  3 08:19:54 mail suricata: 3/4/2022 -- 08:19:54 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
Apr  3 08:19:58 mail suricata: 3/4/2022 -- 08:19:58 - <Notice> - rule reload complete

mrmarkuz · April 3, 2022, 8:09pm

I can’t reproduce.

The first 2 error lines are cropped, I think there’s more info about the error.

Usually a malformed/duplicate signature won’t stop the rules update and seems a minor issue, see this thread.

The SC_WARN_FLOWBIT warning shouldn’t be an issue, see here and here.

Did you already try to disable and reenable the malware category in the server manager?

Please share your config:

config show suricata