<Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed

This is due to the fact that suricata.rules is managed by suricata-update. So if you want to use suricata-update to manage your rules you should use the functions of suricata-update to modify rules, see https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules where you can achieve the alert to drop change.

Thus, “Suricata-update” will overwrite that file?
I don’t like to change all rules to drop. what should I do?
How can I use “re:. ^alert drop” ?

/var/lib/suricata/rules/suricata.rules is the output of suricata-update, so will always be overwritten. The easiest way to convert rules to drop would be with a /etc/suricata/drop.conf file. Here you can just list the SIDs of the rules you wish to convert to drop, then re-run suricata-update.

Example at: https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-modify-rules-modify-conf

Its the same format as disable.conf and enable.conf but rewrites alert to drop for you. Of course you can use regular expressions there as well.

Generally you won’t find it recommended to convert all alert to drop as you are likely to drop legitimate traffic as well. However, this could be done in drop.conf with a regular expression line like:

re: .

which will match everything.

1 Like

Thank you so much.
Excuse me, What is SID? In below lines, is SID exist?

alert tcp [95.217.164.106,95.217.164.136,95.217.165.169,95.217.165.27,95.217.167.152,95.217.176.151,95.217.179.82,95.217.180.216,95.217.181.228,95.217.183.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 840"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522839; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.183.21,95.217.186.37,95.217.189.94,95.217.190.131,95.217.191.166,95.217.191.9,95.217.19.208,95.217.197.204,95.217.20.144,95.217.203.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 841"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.206.235,95.217.208.71,95.217.210.63,95.217.211.224,95.217.211.231,95.217.211.237,95.217.21.233,95.217.2.156,95.217.217.198,95.217.217.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 842"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522841; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.221.79,95.217.22.2,95.217.223.54,95.217.235.148,95.217.23.60,95.217.237.142,95.217.238.12,95.217.239.111,95.217.239.25,95.217.248.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 843"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.2.71,95.217.42.50,95.217.42.94,95.217.5.88,95.217.62.4,95.217.6.94,95.217.78.84,95.217.97.138,95.223.238.165,95.235.40.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 844"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522843; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.245.62.11,95.26.22.180,95.28.2.35,95.42.102.195,95.67.38.55,95.72.153.75,95.80.10.222,95.84.140.36,95.85.19.85,95.85.8.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 845"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.90.99.13,95.91.1.248,95.91.172.217,96.126.105.219,96.126.110.163,96.225.177.69,96.233.74.18,96.238.85.65,96.253.78.108,96.255.209.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 846"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522845; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [96.35.39.175,96.65.68.193,97.103.2.110,97.107.132.24,97.107.137.101,97.107.138.162,97.107.139.108,97.107.139.28,97.107.141.130,97.115.165.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 847"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [97.119.194.246,97.69.218.38,97.87.109.113,97.90.159.235,97.93.202.22,98.128.172.177,98.128.173.1,98.128.186.118,98.128.192.100,98.14.166.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 848"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522847; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [98.165.46.62,98.174.215.13,98.193.69.56,98.220.248.235,98.225.157.78,98.234.222.4,98.37.64.180,99.105.213.162,99.122.201.244,99.131.45.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 849"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)

I searched in documents too, but not found anything: https://suricata-update.readthedocs.io/en/latest/search.html?q=SID&check_keywords=yes&area=default
In re:heartbleed, How can I find a list of names that can stand in front of re ?

If you look at an individual rule:

alert tcp [95.217.164.106,95.217.164.136,95.217.165.169,95.217.165.27,95.217.167.152,95.217.176.151,95.217.179.82,95.217.180.216,95.217.181.228,95.217.183.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 840"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522839; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)

You’ll find this rule has sid:2522839, also known as the signature ID. Each rule has a unique SID, and this can be used to turn on/off the rule.

There is no master list of things that can be used for the regular expression, as its just a regular expression that is run over each rule to look for a match. So you could choose any regular expression that might match the above rule… For example:

re: ET.TOR

would match the above rule as it contains “ET TOR” somewhere in it.

So learning what you could use here requires becoming familiar with the rulesets your are using. One way to do this is to subscribe to the email updates of the Emerging Threats and watch for new rules that are of interest to you.

1 Like

Are these correct:

re: ET\.P2P
re: ET\.SCAN
re: ET\.WORM
re: ET\.MALWARE
re: ET\.DOS

?
How can I find the usage of each rules? For example, what is the goal of emerging-games.rules ?

I made a mistake in my example. Leave out the \, so it would be like:

re: ET.P2P
re: ET.SCAN
re: ET.WORM
re: ET.MALWARE
re: ET.DOS

I’m not sure how up to date this is, but I found this:

1 Like

Thank you so much.
I created a drop.conf file:

re: ET.WORM
re: ET.MALWARE
re: ET.DOS

And restarted Suricata-IDS service. Log show me:

10/10/2020 -- 23:04:13 - <Notice> - Signal Received.  Stopping engine.
10/10/2020 -- 23:04:13 - <Info> - time elapsed 86.126s
10/10/2020 -- 23:04:13 - <Notice> - (RX-NFQ#0) Treated: Pkts 1743, Bytes 189827, Errors 0
10/10/2020 -- 23:04:13 - <Notice> - (RX-NFQ#0) Verdict: Accepted 1726, Dropped 16, Replaced 0
10/10/2020 -- 23:04:13 - <Info> - TLS logger logged 1 requests
10/10/2020 -- 23:04:13 - <Info> - TLS logger logged 2 requests
10/10/2020 -- 23:04:13 - <Info> - TLS logger logged 2 requests
10/10/2020 -- 23:04:13 - <Info> - TLS logger logged 1 requests
10/10/2020 -- 23:04:13 - <Info> - Alerts: 5
10/10/2020 -- 23:04:16 - <Info> - cleaning up signature grouping structure... complete
10/10/2020 -- 23:04:17 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
10/10/2020 -- 23:04:17 - <Info> - CPUs/cores online: 4
10/10/2020 -- 23:04:17 - <Info> - NFQ running in standard ACCEPT/DROP mode
10/10/2020 -- 23:04:17 - <Info> - dropped the caps for main thread
10/10/2020 -- 23:04:17 - <Info> - fast output device (regular) initialized: fast.log
10/10/2020 -- 23:04:17 - <Info> - eve-log output device (regular) initialized: eve.json
10/10/2020 -- 23:04:17 - <Info> - http-log output device (regular) initialized: http.log
10/10/2020 -- 23:04:17 - <Info> - tls-log output device (regular) initialized: tls.log
10/10/2020 -- 23:04:17 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//alert-debug.log": Permission denied
10/10/2020 -- 23:04:17 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "alert-debug": setup failed
10/10/2020 -- 23:04:17 - <Info> - stats output device (regular) initialized: stats.log
10/10/2020 -- 23:04:17 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - The drop log has been deprecated and will be removed by June 2020. Please use eve-log.
10/10/2020 -- 23:04:17 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//drop.log": Permission denied
10/10/2020 -- 23:04:17 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "drop": setup failed
10/10/2020 -- 23:04:17 - <Info> - Running in live mode, activating unix socket
10/10/2020 -- 23:04:18 - <Info> - 1 rule files processed. 21052 rules successfully loaded, 0 rules failed
10/10/2020 -- 23:04:18 - <Info> - Threshold config parsed: 0 rule(s) found
10/10/2020 -- 23:04:18 - <Info> - 21055 signatures processed. 1251 are IP-only rules, 4001 are inspecting packet payload, 15574 inspect application layer, 103 are decoder event only
10/10/2020 -- 23:04:23 - <Info> - binding this thread 0 to queue '0'
10/10/2020 -- 23:04:23 - <Info> - setting queue length to 4096
10/10/2020 -- 23:04:23 - <Info> - setting nfnl bufsize to 6144000
10/10/2020 -- 23:04:23 - <Info> - Running in live mode, activating unix socket
10/10/2020 -- 23:04:23 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
10/10/2020 -- 23:04:23 - <Notice> - all 6 packet processing threads, 4 management threads initialized, engine started.

I guess it is not normal!!!
After it, website became slow. Any idea to solve the speed?

You can also do this if you have spaces in the string you’re trying to match:

re:"ET MALWARE"
re:"ET 3CORESec Poor Reputation"
1 Like

Actually it looks like that format works in modify.conf but not in drop.conf

Thank you.
The error was because of /var/log/suricata//drop.log and /var/log/suricata//alert-debug.log files permissions.
How can I sure my drop rules working?

Thus, with drop.conf file and below content, I’m on a wrong track?

re: ET.WORM
re: ET.MALWARE
re: ET.DOS

Thanks. Will look into this.

The “suricata-update” command tell me:

# suricata-update 
12/10/2020 -- 09:02:12 - <Info> -- Using data-directory /var/lib/suricata.
12/10/2020 -- 09:02:12 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
12/10/2020 -- 09:02:12 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
12/10/2020 -- 09:02:12 - <Info> -- Found Suricata version 5.0.3 at /sbin/suricata.
12/10/2020 -- 09:02:12 - <Info> -- Loading /etc/suricata/drop.conf.
12/10/2020 -- 09:02:12 - <Info> -- Loading /etc/suricata/suricata.yaml
12/10/2020 -- 09:02:12 - <Info> -- Disabling rules for protocol modbus
12/10/2020 -- 09:02:12 - <Info> -- Disabling rules for protocol dnp3
12/10/2020 -- 09:02:12 - <Info> -- Disabling rules for protocol enip
12/10/2020 -- 09:02:12 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.md5.
12/10/2020 -- 09:02:13 - <Info> -- Remote checksum has not changed. Not fetching.
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
12/10/2020 -- 09:02:14 - <Info> -- Ignoring file rules/emerging-deleted.rules
12/10/2020 -- 09:02:16 - <Info> -- Loaded 28054 rules.
12/10/2020 -- 09:02:20 - <Info> -- Disabled 14 rules.
12/10/2020 -- 09:02:20 - <Info> -- Enabled 0 rules.
12/10/2020 -- 09:02:20 - <Info> -- Modified 0 rules.
12/10/2020 -- 09:02:20 - <Info> -- Dropped 6847 rules.
12/10/2020 -- 09:02:21 - <Info> -- Enabled 145 rules for flowbit dependencies.
12/10/2020 -- 09:02:21 - <Info> -- Backing up current rules.
12/10/2020 -- 09:02:24 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 28054; enabled: 21073; added: 0; removed 0; modified: 0
12/10/2020 -- 09:02:24 - <Info> -- No changes detected, exiting.

How can I sure drop rules working properly and if any attacks happened and Suricata-IDS blocked it then where is log?