Error when running updata suricata rule script

kajamuhaiyadeen · March 25, 2025, 10:25am

Hi Team,

When I am running the updatesuricata.sh script getting the following error: need your expertise to troubleshoot and fix it.
25/3/2025 – 06:18:08 - – [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword ‘http.response_header’.
25/3/2025 – 06:18:08 - – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert http $HOME_NET any → any any (msg:“TGI HUNT Malicious Chunk-Proxy Webshell Artifacts in HTTP Response”; flow:established,to_client; http.response_header; content:“status|3a 20|”; pcre:”/^(?:close|successfully)/R"; threshold:type limit, track by_src, seconds 60, count 1; reference:url,TGI HUNT Ruleset Update; classtype:bad-unknown; sid:2610869; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 779
25/3/2025 – 06:18:10 - – [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

Jeff_Lucovsky · March 26, 2025, 12:54pm

What version of Suricata are you running? http.response_header is a valid keyword.

I validated that rule is fine using Suricata 7 and our Suricata 8 preview.

kajamuhaiyadeen · March 27, 2025, 5:16am

Using Suricata 6.0.12 when I am running updatesuricata script its trying update this rule from external threat feeds and failing with this error.

sbhardwaj · March 27, 2025, 6:01am

The error seems legit. http.response_header was added in 7.
Please note that Suricata 6 is EOL.
It is recommended to upgrade to the latest stable Suricata 7.0.10.

its trying update this rule from external threat feeds and failing with this error.

You should try and get version specific rules or modify them as per the supported features in a specific version. However, we won’t be able to provide support for EOL versions of Suricata.

kajamuhaiyadeen · March 27, 2025, 9:48am

Are there any workarounds available to address this issue in Suricata 6? As our critical systems rely on it, we urgently need a temporary solution while working on upgrading to Suricata 7.0.x.

Andreas_Herz · March 27, 2025, 10:40am

Since Suricata 6 is EOL it also does not receive any security updates anymore, so for a critical system it is even more important to be at a supported version ASAP.

Shivani mentioned a potential way to solve this, you need to fetch the rules for the old version or modify those rules. But not all providers for signatures will support EOL versions as well.

ish · March 27, 2025, 1:14pm

The best workaround in this case is to disable rulesets causing the issues as they are most likely wirrten to a newer version of Suricata.

Or if your script allows, just disable the signature IDs that are failing to load.

Topic		Replies	Views
Unknown rule keyword 'flow.bytes_toserver' Help community , rules	3	210	May 2, 2024
Error Code issues Help rules	5	2958	September 5, 2021
Suricata 7.0.8 not loading Snort2 ruleset, error upon load Help rules , suricata	3	32	March 6, 2025
Some errors are reported when starting Suricata Help rules , suricon	1	3087	November 29, 2021
<Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed Rules	33	7938	October 12, 2020

Error when running updata suricata rule script

Related topics