<Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed

You could find out which rule files contain duplicates and remove them. Look into the directories where suricata-update is looking and/or mentioned in your configuration file (suricata.yaml). Check the content of rule files and find out which rules have the same sid.

Is you mean:

# suricatasc 
Command list: shutdown, command-list, help, version, uptime, running-mode, capture-mode, conf-get, dump-counters, reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking, ruleset-reload-time, ruleset-stats, ruleset-failed-rules, register-tenant-handler, unregister-tenant-handler, register-tenant, reload-tenant, unregister-tenant, add-hostbit, remove-hostbit, list-hostbit, reopen-log-files, memcap-set, memcap-show, memcap-list, dataset-add, dataset-remove, iface-stat, iface-list, iface-bypassed-stat, ebpf-bypassed-stat, quit

>>> reload-rules
Success:
"done"
>>> ruleset-reload-rules
Success:
"done"
>>> ruleset-stats
Success:
[
    {
        "id": 0,
        "rules_failed": 19927,
        "rules_loaded": 22166
    }
]
>>> ruleset-failed-rules
Success:
[
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 7,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Request flood detected\"; app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 13,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Length too small\"; app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 17,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Bad link CRC\"; app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 21,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Bad transport CRC\"; app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/dnp3-events.rules",
        "line": 25,
        "rule": "alert dnp3 any any -> any any (msg:\"SURICATA DNP3 Unknown object\"; app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 1,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Mismatch protocol both directions\"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 2,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Wrong direction first Data\"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 3,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Detect protocol only one direction\"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 4,
        "rule": "alert ip any any -> any any (msg:\"SURICATA Applayer Protocol detection skipped\"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 5,
        "rule": "alert tcp any any -> any any (msg:\"SURICATA Applayer No TLS after STARTTLS\"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260004; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 6,
        "rule": "alert tcp any any -> any any (msg:\"SURICATA Applayer Unexpected protocol\"; flow:established; app-layer-event:applayer_unexpected_protocol; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260005; rev:1;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 7,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 packet too small\"; decode-event:ipv4.pkt_too_small; classtype:protocol-command-decode; sid:2200000; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 8,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 header size too small\"; decode-event:ipv4.hlen_too_small; classtype:protocol-command-decode; sid:2200001; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 9,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 total length smaller than header size\"; decode-event:ipv4.iplen_smaller_than_hlen; classtype:protocol-command-decode; sid:2200002; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 10,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 truncated packet\"; decode-event:ipv4.trunc_pkt; classtype:protocol-command-decode; sid:2200003; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 11,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 invalid option\"; decode-event:ipv4.opt_invalid; classtype:protocol-command-decode; sid:2200004; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 12,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 invalid option length\"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 13,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 malformed option\"; decode-event:ipv4.opt_malformed; classtype:protocol-command-decode; sid:2200006; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 15,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 with ICMPv6 header\"; decode-event:ipv4.icmpv6; classtype:protocol-command-decode; sid:2200092; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 16,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 option end of list required\"; decode-event:ipv4.opt_eol_required; classtype:protocol-command-decode; sid:2200008; rev:2;)",
        "tenant_id": 0
    },
    {
        "filename": "/var/lib/suricata/rules/suricata.rules",
        "line": 17,
        "rule": "alert pkthdr any any -> any any (msg:\"SURICATA IPv4 duplicated IP option\"; decode-event:ipv4.opt_duplicate; classtype:protocol-command-decode; sid:2200009; rev:2;)",
        "tenant_id": 0
    }
]
>>> 

I just changed the rules directory and undo it.

I removed all .rules files under “/var/lib/suricata/rules” and did:

# suricata -T
7/10/2020 -- 10:59:22 - <Info> - Running suricata under test mode
7/10/2020 -- 10:59:22 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
7/10/2020 -- 10:59:28 - <Notice> - Configuration provided was successfully loaded. Exiting.

After it a “suricata.rules” file created. What is “suricata.rules” file?
I download a rule from https://rules.emergingthreats.net/open/suricata/rules/ and placed it under “/var/lib/suricata/rules” directory and executed “suricata -T” and got same errors :frowning:

Jason,

The Suricata configuration file contains the information used by Suricata to

  • Specify the directory where the file(s) containing the rules are located
  • The name(s) of the rules files

You should

  • Determine what directory you want to use for rule files
  • Configure Suricata with this directory
  • Specify the names of the files within that directory that contain the rules that you want to use.

This example demonstrates a single rule file in a specific directory.

default-rule-path: /usr/local/etc/suricata/rules

rule-files:
  - suricata.rules

This example demonstrates a multiple rule files in a specific directory.

default-rule-path: /usr/local/etc/suricata/rules

rule-files:
  - suricata.rules
  - another_rules_file.rules
  - yet_another_rules_file.rules

This example demonstrates uses all rule files matching the pattern emerging-*.rules in a specific directory

default-rule-path: /usr/local/etc/suricata/rules

rule-files:
  - emerging-*.rules

Since you’re using suricata-update, use this as a reference: https://suricata.readthedocs.io/en/suricata-5.0.3/rule-management/suricata-update.html

1 Like

Thank you.
My configuration is:

default-rule-path: /var/lib/suricata/rules

rule-files:
  - "*.rules"

As I said, I removed all emerging rules and did “suricata -T” without any problem. Now, I want to add some emerging rules. What should I do?

You should be able to manage Emerging Threats rules with suricata-update. Just make sure you have the et/open set enabled. Its enabled by default usually, but just to be sure:

suricata-update enable-source et/open

the run suricata-update to pull down the latest et/open rules. This will update your /var/lib/suricata/rules/suricata.rules to contain all the enabled et/open rules.

If you want to enable a specific rule that is disabled by default, you can edit /etc/suricata/enable.conf. To disable a rule that you don’t want enabled, you can edit /etc/suricata/disable.conf. Examples of these configuration files can be found at https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-enable-rules-enable-conf as they don’t exist by default.

If you plan to cut and paste rules into a rule file that you find off the web, I suggest updating your suricata.yaml to look like:

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
  - /etc/suricata/local.rules

then adding any custom rules to /etc/suricata/local.rules then restart Suricata as needed.

1 Like

Thank you for your useful information.
Thus, When I use “suricata-update” then it pull all emerging rules and puts them into “suricata.rules” file?
If yes, then I don’t need to download all emerging rules separately?
I can’t see any “enable.conf” or “disable.conf” file:

# nano /etc/suricata/
classification.config  rules/                 threshold.config       
reference.config       suricata.yaml          

This is correct, you don’t have to download the rules separately.

See my comment above about information on disable.conf and enable.conf. They don’t exist by default. You’ll have to create them. I provided links to their documentation.

1 Like

Why Suricata-IDS doing it? Separate files are better.
In “suricata.rules” files, rules are distinguished from each other?
Mine is something like:

alert tcp [95.217.164.106,95.217.164.136,95.217.165.169,95.217.165.27,95.217.167.152,95.217.176.151,95.217.179.82,95.217.180.216,95.217.181.228,95.217.183.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 840"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522839; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.183.21,95.217.186.37,95.217.189.94,95.217.190.131,95.217.191.166,95.217.191.9,95.217.19.208,95.217.197.204,95.217.20.144,95.217.203.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 841"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.206.235,95.217.208.71,95.217.210.63,95.217.211.224,95.217.211.231,95.217.211.237,95.217.21.233,95.217.2.156,95.217.217.198,95.217.217.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 842"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522841; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.221.79,95.217.22.2,95.217.223.54,95.217.235.148,95.217.23.60,95.217.237.142,95.217.238.12,95.217.239.111,95.217.239.25,95.217.248.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 843"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.2.71,95.217.42.50,95.217.42.94,95.217.5.88,95.217.62.4,95.217.6.94,95.217.78.84,95.217.97.138,95.223.238.165,95.235.40.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 844"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522843; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.245.62.11,95.26.22.180,95.28.2.35,95.42.102.195,95.67.38.55,95.72.153.75,95.80.10.222,95.84.140.36,95.85.19.85,95.85.8.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 845"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.90.99.13,95.91.1.248,95.91.172.217,96.126.105.219,96.126.110.163,96.225.177.69,96.233.74.18,96.238.85.65,96.253.78.108,96.255.209.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 846"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522845; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [96.35.39.175,96.65.68.193,97.103.2.110,97.107.132.24,97.107.137.101,97.107.138.162,97.107.139.108,97.107.139.28,97.107.141.130,97.115.165.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 847"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [97.119.194.246,97.69.218.38,97.87.109.113,97.90.159.235,97.93.202.22,98.128.172.177,98.128.173.1,98.128.186.118,98.128.192.100,98.14.166.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 848"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522847; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [98.165.46.62,98.174.215.13,98.193.69.56,98.220.248.235,98.225.157.78,98.234.222.4,98.37.64.180,99.105.213.162,99.122.201.244,99.131.45.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 849"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
...

Thus, I must create a “enable.conf” file and filled it with something:

# Example of enabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401

# Example of enabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:heartbleed
# re:MS(0[7-9]|10)-\d+

# Examples of enabling a group of rules.
# group:emerging-icmp.rules
# group:emerging-dos
# group:emerging*

Then, use “suricata-update - enable.conf” command? Can you show me an example of “enable.conf” file?

If separate files are better for your use case, you are free to do so, but Suricata-Update works best with a single output file. That said, you don’t have to use Suricata-Update, you can manage the rules however if you like.

One thing that Suricata-Update does is dependency resolution of flowbits. Rule B might depend on rule A by flowbit dependency, but rule A may be off. In this case, rule B would never fire properly. Suricata-Update can detect this dependency and automatically turn rule A on. This is a detail that Suricata-Update does for you and most users don’t want to deal with manually.

In that file are examples of enabling a rule by SID, regular expression and filename. Say you want to ensure SID 2019401 is enabled, and any rule that contains the string heartbleed is enabled, your enable.conf could simply be:

# Enable SID 2019401
2019401

# Enable all rules with heartbleed in them
re: heartbleed

How can I sure “SID 2019401” is enabled?
How can I find a list of “re” ?

The example I provided ensures SID 2019401 is enabled.

As for the RE… There is no list. It matches against the rule text. You could manually download the emerging threats rules and open them in an editor to see what there is and what you want to enabled.

You could subscribe to the emerging threats mailing list to get updated whenever they release new rules, then tweak as needed (but most new rules of any importance will be enabled by default).

Personally I rarely use enable.conf. I somewhat trust the rule vendors that rules of importance will be enabled by default - one of the ET guys has already responded to you on this matter. I generally only touch disable.conf to disable rules that are too noisy for my network. Disable.conf follows the same format as enable.conf, but makes sure that the rule is disabled.

1 Like

Thank you.
If I edit “suricata.rules” and change some “alert” texts to “drop” then when I launch “suricata-update” command then all of my changes lost (overwritten)?

This is due to the fact that suricata.rules is managed by suricata-update. So if you want to use suricata-update to manage your rules you should use the functions of suricata-update to modify rules, see https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules where you can achieve the alert to drop change.

Thus, “Suricata-update” will overwrite that file?
I don’t like to change all rules to drop. what should I do?
How can I use “re:. ^alert drop” ?

/var/lib/suricata/rules/suricata.rules is the output of suricata-update, so will always be overwritten. The easiest way to convert rules to drop would be with a /etc/suricata/drop.conf file. Here you can just list the SIDs of the rules you wish to convert to drop, then re-run suricata-update.

Example at: https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-modify-rules-modify-conf

Its the same format as disable.conf and enable.conf but rewrites alert to drop for you. Of course you can use regular expressions there as well.

Generally you won’t find it recommended to convert all alert to drop as you are likely to drop legitimate traffic as well. However, this could be done in drop.conf with a regular expression line like:

re: .

which will match everything.

1 Like

Thank you so much.
Excuse me, What is SID? In below lines, is SID exist?

alert tcp [95.217.164.106,95.217.164.136,95.217.165.169,95.217.165.27,95.217.167.152,95.217.176.151,95.217.179.82,95.217.180.216,95.217.181.228,95.217.183.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 840"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522839; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.183.21,95.217.186.37,95.217.189.94,95.217.190.131,95.217.191.166,95.217.191.9,95.217.19.208,95.217.197.204,95.217.20.144,95.217.203.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 841"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.206.235,95.217.208.71,95.217.210.63,95.217.211.224,95.217.211.231,95.217.211.237,95.217.21.233,95.217.2.156,95.217.217.198,95.217.217.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 842"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522841; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.221.79,95.217.22.2,95.217.223.54,95.217.235.148,95.217.23.60,95.217.237.142,95.217.238.12,95.217.239.111,95.217.239.25,95.217.248.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 843"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.2.71,95.217.42.50,95.217.42.94,95.217.5.88,95.217.62.4,95.217.6.94,95.217.78.84,95.217.97.138,95.223.238.165,95.235.40.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 844"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522843; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.245.62.11,95.26.22.180,95.28.2.35,95.42.102.195,95.67.38.55,95.72.153.75,95.80.10.222,95.84.140.36,95.85.19.85,95.85.8.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 845"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.90.99.13,95.91.1.248,95.91.172.217,96.126.105.219,96.126.110.163,96.225.177.69,96.233.74.18,96.238.85.65,96.253.78.108,96.255.209.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 846"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522845; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [96.35.39.175,96.65.68.193,97.103.2.110,97.107.132.24,97.107.137.101,97.107.138.162,97.107.139.108,97.107.139.28,97.107.141.130,97.115.165.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 847"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [97.119.194.246,97.69.218.38,97.87.109.113,97.90.159.235,97.93.202.22,98.128.172.177,98.128.173.1,98.128.186.118,98.128.192.100,98.14.166.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 848"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522847; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [98.165.46.62,98.174.215.13,98.193.69.56,98.220.248.235,98.225.157.78,98.234.222.4,98.37.64.180,99.105.213.162,99.122.201.244,99.131.45.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 849"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)

I searched in documents too, but not found anything: https://suricata-update.readthedocs.io/en/latest/search.html?q=SID&check_keywords=yes&area=default
In re:heartbleed, How can I find a list of names that can stand in front of re ?

If you look at an individual rule:

alert tcp [95.217.164.106,95.217.164.136,95.217.165.169,95.217.165.27,95.217.167.152,95.217.176.151,95.217.179.82,95.217.180.216,95.217.181.228,95.217.183.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 840"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522839; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)

You’ll find this rule has sid:2522839, also known as the signature ID. Each rule has a unique SID, and this can be used to turn on/off the rule.

There is no master list of things that can be used for the regular expression, as its just a regular expression that is run over each rule to look for a match. So you could choose any regular expression that might match the above rule… For example:

re: ET.TOR

would match the above rule as it contains “ET TOR” somewhere in it.

So learning what you could use here requires becoming familiar with the rulesets your are using. One way to do this is to subscribe to the email updates of the Emerging Threats and watch for new rules that are of interest to you.

1 Like

Are these correct:

re: ET\.P2P
re: ET\.SCAN
re: ET\.WORM
re: ET\.MALWARE
re: ET\.DOS

?
How can I find the usage of each rules? For example, what is the goal of emerging-games.rules ?

I made a mistake in my example. Leave out the \, so it would be like:

re: ET.P2P
re: ET.SCAN
re: ET.WORM
re: ET.MALWARE
re: ET.DOS

I’m not sure how up to date this is, but I found this:

1 Like