<Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed

Rules
1

Hello,
When I use “suricata -T” command then I got below error:

<Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

I changed “/var/lib/suricata/rules/” to 755:

# chmod -R 755 /var/lib/suricata/rules/

And:

# ls -l /var/lib/suricata/rules/
total 15420
-rwxr-xr-x. 1 root suricata    12776 Aug  8 03:28 botcc.portgrouped.rules
-rwxr-xr-x. 1 root suricata    39355 Aug  8 03:28 botcc.rules
-rwxr-xr-x. 1 root suricata      449 Aug  9 10:19 detect-dos.rules
-rwxr-xr-x. 1 root suricata     1777 Apr 28 22:34 dns-events.rules
-rwxr-xr-x. 1 root suricata    25674 Aug  8 03:28 drop.rules
-rwxr-xr-x. 1 root suricata     2664 Aug  8 03:28 dshield.rules
-rwxr-xr-x. 1 root suricata   111884 Aug  8 03:28 emerging-attack_response.rules.bak
-rwxr-xr-x. 1 root suricata 15575826 Oct  6 20:14 suricata.rules

In my Suricata-IDS configuration:

default-rule-path: /var/lib/suricata/rules

How can I solve it?

Thank you.

2

There should be warnings and/or errors above the line <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.. Those should hold the clue to why the loading failed. Can you post the full output?

3

Sure. Please look at https://pastebin.fun/KZuk1jrJGf

4

Could it be that the same rules are loaded directly from the yaml as well as managed by suricata-update into suricata.rules?

5

So?
How can I fix it?

6

Hí,

Try to run this, see what comes out:

sudo suricata-update --suricata-conf /etc/suricata/suricata.yaml -o /var/lib/suricata/rules --no-merge --verbose --force

7

The output is: https://pastebin.fun/Rlb7t3JKrc
No way to clear cache or…? If someone wants to add new rules to Suricata-IDS then?

8

You could find out which rule files contain duplicates and remove them. Look into the directories where suricata-update is looking and/or mentioned in your configuration file (suricata.yaml). Check the content of rule files and find out which rules have the same sid.

9

Is you mean:

# suricatasc 
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit

>>> reload-rules
Success:
"done"
>>> ruleset-reload-rules
Success:
"done"
>>> ruleset-stats
Success:
[
    {
        "id": 0,
        "rules_failed": 19927,
        "rules_loaded": 22166
    }
]
>>> ruleset-failed-rules
Success:
[
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 7,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Request flood detected\"; app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 13,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Length too small\"; app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 17,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Bad link CRC\"; app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 21,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Bad transport CRC\"; app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 25,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Unknown object\"; app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 1,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Mismatch protocol both directions\"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 2,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Wrong direction first Data\"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 3,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Detect protocol only one direction\"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 4,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Protocol detection skipped\"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 5,
        "rule": "alert tcp any any -> any any (msg:\"SURICATA Applayer No TLS after STARTTLS\"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260004; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 6,
        "rule": "alert tcp any any -> any any (msg:\"SURICATA Applayer Unexpected protocol\"; flow:established; app-layer-event:applayer_unexpected_protocol; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260005; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 7,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 packet too small\"; decode-event:ipv4.pkt_too_small; classtype:protocol-command-decode; sid:2200000; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 8,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 header size too small\"; decode-event:ipv4.hlen_too_small; classtype:protocol-command-decode; sid:2200001; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 9,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 total length smaller than header size\"; decode-event:ipv4.iplen_smaller_than_hlen; classtype:protocol-command-decode; sid:2200002; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 10,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 truncated packet\"; decode-event:ipv4.trunc_pkt; classtype:protocol-command-decode; sid:2200003; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 11,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 invalid option\"; decode-event:ipv4.opt_invalid; classtype:protocol-command-decode; sid:2200004; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 12,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 invalid option length\"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 13,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 malformed option\"; decode-event:ipv4.opt_malformed; classtype:protocol-command-decode; sid:2200006; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 15,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 with ICMPv6 header\"; decode-event:ipv4.icmpv6; classtype:protocol-command-decode; sid:2200092; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 16,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 option end of list required\"; decode-event:ipv4.opt_eol_required; classtype:protocol-command-decode; sid:2200008; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 17,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 duplicated IP option\"; decode-event:ipv4.opt_duplicate; classtype:protocol-command-decode; sid:2200009; rev:2;)",
        "tenant_id": 0
    }
]
>>>

I just changed the rules directory and undo it.

10

I removed all .rules files under “/var/lib/suricata/rules” and did:

# suricata -T
7/10/2020 -- 10:59:22 - <Info> - Running suricata under test mode
7/10/2020 -- 10:59:22 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
7/10/2020 -- 10:59:28 - <Notice> - Configuration provided was successfully loaded. Exiting.

After it a “suricata.rules” file created. What is “suricata.rules” file?
I download a rule from https://rules.emergingthreats.net/open/suricata/rules/ and placed it under “/var/lib/suricata/rules” directory and executed “suricata -T” and got same errors :frowning:

11

Jason,

The Suricata configuration file contains the information used by Suricata to

  • Specify the directory where the file(s) containing the rules are located
  • The name(s) of the rules files

You should

  • Determine what directory you want to use for rule files
  • Configure Suricata with this directory
  • Specify the names of the files within that directory that contain the rules that you want to use.

This example demonstrates a single rule file in a specific directory.

default-rule-path: /usr/local/etc/suricata/rules

rule-files:
  - suricata.rules

This example demonstrates a multiple rule files in a specific directory.

default-rule-path: /usr/local/etc/suricata/rules

rule-files:
  - suricata.rules
  - another_rules_file.rules
  - yet_another_rules_file.rules

This example demonstrates uses all rule files matching the pattern emerging-*.rules in a specific directory

default-rule-path: /usr/local/etc/suricata/rules

rule-files:
  - emerging-*.rules

Since you’re using suricata-update, use this as a reference: https://suricata.readthedocs.io/en/suricata-5.0.3/rule-management/suricata-update.html

1 Like
12

Thank you.
My configuration is:

default-rule-path: /var/lib/suricata/rules

rule-files:
  - "*.rules"

As I said, I removed all emerging rules and did “suricata -T” without any problem. Now, I want to add some emerging rules. What should I do?

13

You should be able to manage Emerging Threats rules with suricata-update. Just make sure you have the et/open set enabled. Its enabled by default usually, but just to be sure:

suricata-update enable-source et/open

the run suricata-update to pull down the latest et/open rules. This will update your /var/lib/suricata/rules/suricata.rules to contain all the enabled et/open rules.

If you want to enable a specific rule that is disabled by default, you can edit /etc/suricata/enable.conf. To disable a rule that you don’t want enabled, you can edit /etc/suricata/disable.conf. Examples of these configuration files can be found at https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-enable-rules-enable-conf as they don’t exist by default.

If you plan to cut and paste rules into a rule file that you find off the web, I suggest updating your suricata.yaml to look like:

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
  - /etc/suricata/local.rules

then adding any custom rules to /etc/suricata/local.rules then restart Suricata as needed.

1 Like
14

Thank you for your useful information.
Thus, When I use “suricata-update” then it pull all emerging rules and puts them into “suricata.rules” file?
If yes, then I don’t need to download all emerging rules separately?
I can’t see any “enable.conf” or “disable.conf” file:

# nano /etc/suricata/
classification.config  rules/                 threshold.config       
reference.config       suricata.yaml
15

This is correct, you don’t have to download the rules separately.

See my comment above about information on disable.conf and enable.conf. They don’t exist by default. You’ll have to create them. I provided links to their documentation.

1 Like
16

Why Suricata-IDS doing it? Separate files are better.
In “suricata.rules” files, rules are distinguished from each other?
Mine is something like:

alert tcp [95.217.164.106,95.217.164.136,95.217.165.169,95.217.165.27,95.217.167.152,95.217.176.151,95.217.179.82,95.217.180.216,95.217.181.228,95.217.183.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 840"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522839; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.183.21,95.217.186.37,95.217.189.94,95.217.190.131,95.217.191.166,95.217.191.9,95.217.19.208,95.217.197.204,95.217.20.144,95.217.203.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 841"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.206.235,95.217.208.71,95.217.210.63,95.217.211.224,95.217.211.231,95.217.211.237,95.217.21.233,95.217.2.156,95.217.217.198,95.217.217.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 842"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522841; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.221.79,95.217.22.2,95.217.223.54,95.217.235.148,95.217.23.60,95.217.237.142,95.217.238.12,95.217.239.111,95.217.239.25,95.217.248.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 843"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.2.71,95.217.42.50,95.217.42.94,95.217.5.88,95.217.62.4,95.217.6.94,95.217.78.84,95.217.97.138,95.223.238.165,95.235.40.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 844"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522843; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.245.62.11,95.26.22.180,95.28.2.35,95.42.102.195,95.67.38.55,95.72.153.75,95.80.10.222,95.84.140.36,95.85.19.85,95.85.8.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 845"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.90.99.13,95.91.1.248,95.91.172.217,96.126.105.219,96.126.110.163,96.225.177.69,96.233.74.18,96.238.85.65,96.253.78.108,96.255.209.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 846"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522845; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [96.35.39.175,96.65.68.193,97.103.2.110,97.107.132.24,97.107.137.101,97.107.138.162,97.107.139.108,97.107.139.28,97.107.141.130,97.115.165.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 847"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [97.119.194.246,97.69.218.38,97.87.109.113,97.90.159.235,97.93.202.22,98.128.172.177,98.128.173.1,98.128.186.118,98.128.192.100,98.14.166.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 848"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522847; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [98.165.46.62,98.174.215.13,98.193.69.56,98.220.248.235,98.225.157.78,98.234.222.4,98.37.64.180,99.105.213.162,99.122.201.244,99.131.45.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 849"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
...

Thus, I must create a “enable.conf” file and filled it with something:

# Example of enabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401

# Example of enabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:heartbleed
# re:MS(0[7-9]|10)-\d+

# Examples of enabling a group of rules.
# group:emerging-icmp.rules
# group:emerging-dos
# group:emerging*

Then, use “suricata-update - enable.conf” command? Can you show me an example of “enable.conf” file?

17

If separate files are better for your use case, you are free to do so, but Suricata-Update works best with a single output file. That said, you don’t have to use Suricata-Update, you can manage the rules however if you like.

One thing that Suricata-Update does is dependency resolution of flowbits. Rule B might depend on rule A by flowbit dependency, but rule A may be off. In this case, rule B would never fire properly. Suricata-Update can detect this dependency and automatically turn rule A on. This is a detail that Suricata-Update does for you and most users don’t want to deal with manually.

In that file are examples of enabling a rule by SID, regular expression and filename. Say you want to ensure SID 2019401 is enabled, and any rule that contains the string heartbleed is enabled, your enable.conf could simply be:

# Enable SID 2019401
2019401

# Enable all rules with heartbleed in them
re: heartbleed
18

How can I sure “SID 2019401” is enabled?
How can I find a list of “re” ?

19

The example I provided ensures SID 2019401 is enabled.

As for the RE… There is no list. It matches against the rule text. You could manually download the emerging threats rules and open them in an editor to see what there is and what you want to enabled.

You could subscribe to the emerging threats mailing list to get updated whenever they release new rules, then tweak as needed (but most new rules of any importance will be enabled by default).

Personally I rarely use enable.conf. I somewhat trust the rule vendors that rules of importance will be enabled by default - one of the ET guys has already responded to you on this matter. I generally only touch disable.conf to disable rules that are too noisy for my network. Disable.conf follows the same format as enable.conf, but makes sure that the rule is disabled.

1 Like
20

Thank you.
If I edit “suricata.rules” and change some “alert” texts to “drop” then when I launch “suricata-update” command then all of my changes lost (overwritten)?