Dear Users,

I’m a newbie and I’m trying to start using Suricata. Basic Suricata configuration is almost done and it is working as expexted. Anyway, I detected a lot of this kind of message in Suricata fast.log:

06/04/2021-19:25:03.460582 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.533901 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.533931 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.534132 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.534163 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485194 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485294 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485702 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485730 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}

How can I exclude this rule in order to avoid these messages?
I tried to use /etc/suricata/disable.conf, but it had no effects… (also after suricata-update and suricata service restart).

Thank you in advance,
Mauro

Here are some things to check:

• When you run Suricata-Update, check where its writing the rules to, you should see something like: 4/6/2021 -- 11:59:59 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 30414; enabled: 22945; added: 165; removed 26; modified: 1244
• In your suricata.yaml verify that your default-rule-path and rule-files are configured to load these files.

This should be the defaults if you installed Suricata from source or with the RPM. If you installed Suricata another way, could please describe how?

Hi Jason,
thank you for your reply.
This is the output of suricata-update:

sudo suricata-update
4/6/2021 – 20:09:03 - – Using data-directory /var/lib/suricata.
4/6/2021 – 20:09:03 - – Using Suricata configuration /etc/suricata/suricata.yaml
4/6/2021 – 20:09:03 - – Using /etc/suricata/rules for Suricata provided rules.
4/6/2021 – 20:09:03 - – Found Suricata version 6.0.2 at /usr/bin/suricata.
4/6/2021 – 20:09:03 - – Loading /etc/suricata/suricata.yaml
4/6/2021 – 20:09:03 - – Fetching https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
100% - 9855/9855
4/6/2021 – 20:09:03 - – Done.
4/6/2021 – 20:09:03 - – Checking https://rules.emergingthreats.net/open/suricata-6.0.2/emerging.rules.tar.gz.md5.
4/6/2021 – 20:09:04 - – Remote checksum has not changed. Not fetching.
4/6/2021 – 20:09:04 - – Ignoring file rules/emerging-deleted.rules
4/6/2021 – 20:09:07 - – Loaded 29818 rules.
4/6/2021 – 20:09:07 - – Disabled 0 rules.
4/6/2021 – 20:09:07 - – Enabled 0 rules.
4/6/2021 – 20:09:07 - – Modified 0 rules.
4/6/2021 – 20:09:07 - – Dropped 0 rules.
4/6/2021 – 20:09:07 - – Enabled 147 rules for flowbit dependencies.
4/6/2021 – 20:09:07 - – Backing up current rules.
4/6/2021 – 20:09:11 - – Writing rules to /var/lib/suricata/rules/suricata.rules: total: 29818; enabled: 22431; added: 0; removed 0; modified: 0
4/6/2021 – 20:09:11 - – Writing /var/lib/suricata/rules/classification.config
4/6/2021 – 20:09:11 - – No changes detected, exiting.

And here you can find the info about default-rule-path and rule-files:

default-rule-path: /etc/suricata/rules/
rule-files:

#Malware/trojan oriented rules

• emerging-trojan.rules
• emerging-malware.rules
• emerging-mobile_malware.rules
• emerging-worm.rules
• emerging-user_agents.rules
• emerging-current_events.rules

#important but relatively low load rules you’ll likely want to keep on

• emerging-ftp.rules
• emerging-pop3.rules
• emerging-rpc.rules
• emerging-attack_response.rules

- emerging-icmp.rules

• emerging-scan.rules
• emerging-voip.rules
• emerging-imap.rules
• emerging-web_server.rules
• emerging-smtp.rules
• emerging-dns.rules
• emerging-misc.rules
• emerging-snmp.rules
• emerging-sql.rules
• emerging-dos.rules
• emerging-telnet.rules
• emerging-exploit.rules
• emerging-tftp.rules

#useful but often high load rules. Look here for performance tuning

• emerging-web_client.rules
• emerging-netbios.rules

#things you’ll want to look through and consider policy needs

• emerging-policy.rules

- emerging-games.rules

• emerging-p2p.rules
• emerging-chat.rules

#informational, not recommended for high speed nets

- emerging-icmp_info.rules

- emerging-info.rules

- emerging-shellcode.rules

- emerging-inappropriate.rules

- emerging-web_specific_apps.rules

- emerging-activex.rules

#ip based rules

• botcc.rules

- botcc.portgrouped.rules

• ciarmy.rules
• compromised.rules
• drop.rules
• dshield.rules
• tor.rules

#only use the scada_special if you have the scada extensions compiled int

- emerging-scada_special.rules

- emerging-scada.rules

classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

I’m a little bit confused about the right path to be considered. I see a mix of /etc/suricata/… /var/lib/suricata paths. Also classification.config path is different in suricata.yaml and suricata-update output.

Could you please help me to fix the problem? (I installed suricata using YUM).
Thank you in advance.
Mauro

In addition, please note that in /etc/suricata/rules I can find all the rules mentioned in yaml file.
I followed this technote in order to integrate suricata with wazuh:

That tech note is quite out of date. It looks like you found our repos for Suricata 6 instead of using the repo listed there which is good, but the suricata.yaml there is probably out of date as well. At the very least you’ll need to update the default-rule-path and rule-files sections in /etc/suricata/suricata.yaml if you wish to use Suricata-Update to look something like this:

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

Many thanks for your help.
I just reinstalled suricata from source: Ubuntu Installation - Suricata - Open Information Security Foundation

So, suricata.yaml file is up-to-date and disable.conf file works as expected!

In addition, following the instructions contained here ET OPEN Ruleset Download Instructions , I added the emerging rules to /usr/share/suricata/rules folder and I executed suricata-update.

But I noticed that these added rules are not mentioned (loaded) in the suricata-update output. Is it normal?

root@localhost:/usr/share/suricata/rules# ls
3coresec.rules emerging-activex.rules emerging-icmp.rules emerging-scan.rules http-events.rules
app-layer-events.rules emerging-adware_pup.rules emerging-imap.rules emerging-shellcode.rules ipsec-events.rules
botcc.portgrouped.rules emerging-attack_response.rules emerging-inappropriate.rules emerging-smtp.rules kerberos-events.rules
botcc.rules emerging-chat.rules emerging-info.rules emerging-snmp.rules LICENSE
BSD-License.txt emerging-coinminer.rules emerging-ja3.rules emerging-sql.rules modbus-events.rules
ciarmy.rules emerging-current_events.rules emerging-malware.rules emerging-telnet.rules nfs-events.rules
classification.config emerging-deleted.rules emerging-misc.rules emerging-tftp.rules ntp-events.rules
compromised-ips.txt emerging-dns.rules emerging-mobile_malware.rules emerging-user_agents.rules sid-msg.map
compromised.rules emerging-dos.rules emerging-netbios.rules emerging-voip.rules smb-events.rules
decoder-events.rules emerging-exploit_kit.rules emerging-p2p.rules emerging-web_client.rules smtp-events.rules
dhcp-events.rules emerging-exploit.rules emerging-phishing.rules emerging-web_server.rules stream-events.rules
dnp3-events.rules emerging-ftp.rules emerging-policy.rules emerging-web_specific_apps.rules suricata-5.0-enhanced-open.txt
dns-events.rules emerging-games.rules emerging-pop3.rules emerging-worm.rules tls-events.rules
drop.rules emerging-hunting.rules emerging-rpc.rules files.rules tor.rules
dshield.rules emerging-icmp_info.rules emerging-scada.rules gpl-2.0.txt
root@localhost:/usr/share/suricata/rules# suricata-update
5/6/2021 – 00:20:31 - – Using data-directory /var/lib/suricata.
5/6/2021 – 00:20:31 - – Using Suricata configuration /etc/suricata/suricata.yaml
5/6/2021 – 00:20:31 - – Using /usr/share/suricata/rules for Suricata provided rules.
5/6/2021 – 00:20:31 - – Found Suricata version 6.0.2 at /usr/bin/suricata.
5/6/2021 – 00:20:31 - – Loading /etc/suricata/disable.conf.
5/6/2021 – 00:20:31 - – Loading /etc/suricata/suricata.yaml
5/6/2021 – 00:20:31 - – Disabling rules for protocol http2
5/6/2021 – 00:20:31 - – Disabling rules for protocol modbus
5/6/2021 – 00:20:31 - – Disabling rules for protocol dnp3
5/6/2021 – 00:20:31 - – Disabling rules for protocol enip
5/6/2021 – 00:20:31 - – No sources configured, will use Emerging Threats Open
5/6/2021 – 00:20:31 - – Checking https://rules.emergingthreats.net/open/suricata-6.0.2/emerging.rules.tar.gz.md5.
5/6/2021 – 00:20:31 - – Remote checksum has not changed. Not fetching.
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/files.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/http-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
5/6/2021 – 00:20:31 - – Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
5/6/2021 – 00:20:31 - – Ignoring file rules/emerging-deleted.rules
5/6/2021 – 00:20:34 - – Loaded 30155 rules.
5/6/2021 – 00:20:35 - – Disabling ja3 rules as Suricata is built without libnss.
5/6/2021 – 00:20:35 - – 130 ja3_hash rules disabled.
5/6/2021 – 00:20:35 - – Disabled 206 rules.
5/6/2021 – 00:20:35 - – Enabled 0 rules.
5/6/2021 – 00:20:35 - – Modified 0 rules.
5/6/2021 – 00:20:35 - – Dropped 0 rules.
5/6/2021 – 00:20:35 - – Enabled 147 rules for flowbit dependencies.
5/6/2021 – 00:20:35 - – Backing up current rules.
5/6/2021 – 00:20:39 - – Writing rules to /var/lib/suricata/rules/suricata.rules: total: 30155; enabled: 22522; added: 0; removed 0; modified: 0
5/6/2021 – 00:20:39 - – Writing /var/lib/suricata/rules/classification.config
5/6/2021 – 00:20:39 - – No changes detected, exiting.

Thank you for the time you spent for me.
Mauro

After a default install of Suricata, ET/Open rules are enabled by default. You should not download them to /usr/share/…

Instead just run suricata-update, by default it will download the ET/Open rules and output them to /var/lib/suricata/rules/suricata.rules applying any changes you may have configured in /etc/suricata/disable.conf, /etc/suricata/enable.conf, etc.

I’d ignore other guides and stick to our official documentation if possible:
https://suricata.readthedocs.io/en/suricata-6.0.2/quickstart.html#

Hope that helps.

Thank you, Jason. You helped me to solve my issue and clarify my doubts.
I will remove the rules I added manually.

Many thanks again,
Mauro

No problem. In the last 2 years we’ve made strides to make the default installation much easier to get going with… However, 3rd party documentation appears to lag behind as expected. Are you a user of Wazuh? Its a popluar enough project that I should maybe consider getting their documentation up to date.