Error when running suricat-update for the first time

I’ve done a fresh install of Suricata, I was able to add sources and then I ran suricata-update and got this output:

suricata-update
14/5/2022 -- 20:17:57 - <Info> -- Using data-directory /var/lib/suricata.
14/5/2022 -- 20:17:57 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
14/5/2022 -- 20:17:57 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
14/5/2022 -- 20:17:57 - <Info> -- Found Suricata version 6.0.5 at /usr/bin/suricata.
14/5/2022 -- 20:17:57 - <Info> -- Loading /etc/suricata/suricata.yaml
14/5/2022 -- 20:17:57 - <Info> -- Disabling rules for protocol http2
14/5/2022 -- 20:17:57 - <Info> -- Disabling rules for protocol modbus
14/5/2022 -- 20:17:57 - <Info> -- Disabling rules for protocol dnp3
14/5/2022 -- 20:17:57 - <Info> -- Disabling rules for protocol enip
14/5/2022 -- 20:17:57 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
14/5/2022 -- 20:17:57 - <Info> -- Last download less than 15 minutes ago. Not downloading https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules.
14/5/2022 -- 20:17:57 - <Info> -- Last download less than 15 minutes ago. Not downloading https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
14/5/2022 -- 20:17:57 - <Info> -- Last download less than 15 minutes ago. Not downloading https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
14/5/2022 -- 20:17:57 - <Info> -- Last download less than 15 minutes ago. Not downloading https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz.
14/5/2022 -- 20:17:57 - <Info> -- Last download less than 15 minutes ago. Not downloading https://security.etnetera.cz/feeds/etn_aggressive.rules.
14/5/2022 -- 20:17:57 - <Info> -- Last download less than 15 minutes ago. Not downloading https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules.
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
14/5/2022 -- 20:17:57 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
14/5/2022 -- 20:17:58 - <Info> -- Ignoring file rules/emerging-deleted.rules
14/5/2022 -- 20:18:00 - <Info> -- Loaded 39573 rules.
14/5/2022 -- 20:18:01 - <Info> -- Disabled 14 rules.
14/5/2022 -- 20:18:01 - <Info> -- Enabled 0 rules.
14/5/2022 -- 20:18:01 - <Info> -- Modified 0 rules.
14/5/2022 -- 20:18:01 - <Info> -- Dropped 0 rules.
14/5/2022 -- 20:18:01 - <Info> -- Enabled 131 rules for flowbit dependencies.
14/5/2022 -- 20:18:01 - <Info> -- Backing up current rules.
14/5/2022 -- 20:18:04 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 39235; enabled: 31772; added: 5855; removed 2; modified: 1250
14/5/2022 -- 20:18:04 - <Info> -- Writing /var/lib/suricata/rules/classification.config
14/5/2022 -- 20:18:04 - <Info> -- Testing with suricata -T.
14/5/2022 -- 20:18:04 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
14/5/2022 -- 20:18:04 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
14/5/2022 -- 20:18:04 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
14/5/2022 -- 20:18:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range
14/5/2022 -- 20:18:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_13, updated_at 2019_09_03;)" from file /var/lib/suricata/rules/suricata.rules at line 3804
14/5/2022 -- 20:18:10 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range
14/5/2022 -- 20:18:10 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /var/lib/suricata/rules/suricata.rules at line 23612
14/5/2022 -- 20:18:10 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range
14/5/2022 -- 20:18:10 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /var/lib/suricata/rules/suricata.rules at line 23613
14/5/2022 -- 20:18:14 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
14/5/2022 -- 20:18:14 - <Error> -- Suricata test failed, aborting.
14/5/2022 -- 20:18:14 - <Error> -- Restoring previous rules.

I’m on Debian Bookworm with Kernel 5.17.0-1-rt-amd64
Neofetch says I have this:

$ neofetch
       _,met$$$$$gg.          tmick@DebianTim 
    ,g$$$$$$$$$$$$$$$P.       --------------- 
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux bookworm/sid x86_64 
 ,$$P'              `$$$.     Host: MS-7721 9.0 
',$$P       ,ggs.     `$$b:   Kernel: 5.17.0-1-rt-amd64 
`d$$'     ,$P"'   .    $$$    Uptime: 53 mins 
 $$P      d$'     ,    $$P    Packages: 5101 (dpkg) 
 $$:      $$.   -    ,d$$'    Shell: bash 5.1.16 
 $$;      Y$b._   _,d$P'      Resolution: 1366x768 
 Y$$.    `.`"Y$$$$P"'         DE: GNOME 42.0 
 `$$b      "-.__              WM: Mutter 
  `Y$$                        WM Theme: Adwaita 
   `Y$$.                      Theme: Adwaita [GTK2/3] 
     `$$b.                    Icons: Adwaita [GTK2/3] 
       `Y$$b.                 Terminal: kgx 
          `"Y$b._             CPU: AMD A6-7400K Radeon R5 2C+4G (2) @ 4.092GHz 
              `"""            GPU: AMD ATI Radeon R5 Graphics 
                              Memory: 2759MiB / 6972MiB 

I could use some advice on how to fix the output of the update command.
Thanks in advance.

Can you post your corresponding config files for suricata and suricata-update?

Here’s the YAML file
suricata.yaml (71.6 KB)
Here’s the update file I hope you’re asking for:

# This is a version 1 formatted index.
version: 1

sources:

  et/open:
    summary: Emerging Threats Open Ruleset
    description: |
      Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats
    vendor: Proofpoint
    license: MIT
    url: https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz

  et/pro:
    summary: Emerging Threats Pro Ruleset
    description: |
      Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats
    vendor: Proofpoint
    license: Commercial
    url: https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz
    subscribe-url: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
    parameters:
      secret-code:
        prompt: Emerging Threats Pro access code
    replaces:
      - et/open
    checksum: false

  oisf/trafficid:
    summary: Suricata Traffic ID ruleset
    vendor: OISF
    license: MIT
    url: https://openinfosecfoundation.org/rules/trafficid/trafficid.rules
    support-url: https://redmine.openinfosecfoundation.org/
    min-version: 4.0.0
    checksum: false

  ptresearch/attackdetection:
    summary: Positive Technologies Attack Detection Team ruleset
    description: |
      The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers' TTPs, so we develop Suricata rules for detecting all sorts of such activities.
    vendor: Positive Technologies
    license: Custom
    license-url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE
    url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz
    obsolete: no longer exists

  scwx/enhanced:
    summary: Secureworks suricata-enhanced ruleset
    description: |
      Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team.  This ruleset has been enhanced with comprehensive and fully standard-compliant BETTER metadata (https://better-schema.readthedocs.io/).
    vendor: Secureworks
    license: Commercial
    url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-enhanced_latest.tgz
    parameters:
      secret-code:
        prompt: Secureworks Threat Intelligence Authentication Token
    subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
    min-version: 3.0.0

  scwx/malware:
    summary: Secureworks suricata-malware ruleset
    description: |
      High-fidelity, high-priority ruleset composed mainly of malware-related countermeasures and curated by the Secureworks Counter Threat Unit research team.
    vendor: Secureworks
    license: Commercial
    url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz
    parameters:
      secret-code:
        prompt: Secureworks Threat Intelligence Authentication Token
    subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
    min-version: 3.0.0

  scwx/security:
    summary: Secureworks suricata-security ruleset
    description: |
      Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team.
    vendor: Secureworks
    license: Commercial
    url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz
    parameters:
      secret-code:
        prompt: Secureworks Threat Intelligence Authentication Token
    subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
    min-version: 3.0.0

  sslbl/ssl-fp-blacklist:
    summary: Abuse.ch SSL Blacklist
    description: |
      The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
    checksum: false

  sslbl/ja3-fingerprints:
    summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
    description: |
      If you are running Suricata, you can use the SSLBL's Suricata JA3 FingerprintRuleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset.
    vendor: Abuse.ch
    license: Non-Commercial
    url: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules
    min-version: 4.1.0
    checksum: false

  etnetera/aggressive:
    summary: Etnetera aggressive IP blacklist
    vendor: Etnetera a.s.
    license: MIT
    url: https://security.etnetera.cz/feeds/etn_aggressive.rules
    min-version: 4.0.0
    checksum: false

  tgreen/hunting:
    summary: Threat hunting rules
    description: |
      Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance.
    vendor: tgreen
    license: GPLv3
    url: https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules
    min-version: 4.1.0
    checksum: false

  malsilo/win-malware:
    summary: Commodity malware rules
    description: |
      TCP/UDP, DNS and HTTP Windows threats artifacts observed at runtime.
    vendor: malsilo
    license: MIT
    url: https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz
    min-version: 4.1.0
    homepage: https://raw-data.gitlab.io/post/malsilo_2.1/
    checksum: true

versions:
  suricata:
    recommended: 6.0.5
    "6.0": 6.0.5
    "5.0": 5.0.9

If you look in your suricata.yaml you will see:

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    HOME_NET: "[192.168.0.0/16]"
    HOME_NET: "[10.0.0.0/8]"
    HOME_NET: "[172.16.0.0/12]"
    HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    EXTERNAL_NET: "any"

You only want one one HOME_NET and one EXTERNAL_NET configured. Whats happening here is HOME_NET is any as is EXTERNAL_NET.

I recommend reverting back to the default as below and trying again:

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

Okay I reverted back to default in that section and I still received these errors:

<Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
17/5/2022 -- 12:54:32 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
17/5/2022 -- 12:54:32 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.

I searched for the protocols it was complaining about and UN-commented the ones I don’t use (SIP, RDP, mqtt and set to enabled = no and the errors are gone.
Thanks for steering me in the right direction. When does version 7 come out so I know what to watch for ?

Hey Tim, i got the same error as you,do you mind explaining how you fix the error in more detail? Thanks

I can try, in the configuration yaml file (/etc/suricata/suricata.yaml), I searched for the protocols that were in the error. I would use either VI or Nano to open btw.
The ones that were commented out ( had a # sign in front of them) I removed it and changed ‘yes’ to ‘no’ . so for example I would change ‘# RDP=yes’ to ‘RDP=no’. And repeat for all the ones in the error.
Hope that makes sense.

1 Like

It was funny that the current version generates an invalid configuration file and then complains about itself for an invalid file. Can they upgrade that configuration file automatically during installation?

For example, do we have to manually correct the configuration file if it knows from the beginning the config has issue?