[RESOLVED] Suricata update rules

volga629-1 · March 10, 2024, 3:36am

Hello Everyone,

suricata -V This is Suricata version 6.0.16 RELEASE

I am trying understand rules updates flows.
I created disable.conf and enable.conf with all required rules, but Suricata-update try to load all rules

disable.conf

group:stream-events.rules
group:emerging-web_client
group:emerging-web_server.rules
group:emerging-ja3.rules
group:emerging-misc.rules
group:emerging-mobile_malware.rules
egroup:merging-malware.rules
group:emerging-misc.rules
group:emerging-mobile_malware.rules
group:emerging-netbios.rules
group:emerging-p2p.rules
group:emerging-phishing.rules
group:emerging-policy.rules
group:emerging-pop3.rules
group:emerging-rpc.rules
group:emerging-scada.rules
group:emerging-scan.rules
group:emerging-shellcode.rules
group:emerging-smtp.rules
group:emerging-snmp.rules
group:emerging-sql.rules
group:emerging-telnet.rules
group:emerging-tftp.rules
group:emerging-user_agents.rules
group:emerging-web_specific_apps.rules
group:emerging-worm.rules
group:threatview_CS_c2.rules
re:suricata stream
re:HTTP_
re:HTTP_PORTS

enable.conf

group:emerging-dshield.rules
group:emerging-scan.rules
group:emerging-voip.rules

Log

Final result that rules update failing

Any help thank you.

vjulien · March 10, 2024, 6:11am

This looks like a typo.

volga629-1 · March 10, 2024, 2:12pm

Thank you, corrected. But issue still present.

10/3/2024 -- 10:08:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (villagemagneticcsa .fun)"; dns.query; bsize:22; content:"villagemagneticcsa.fun"; nocase; reference:md5,d8666ba0b58b3d01ff7ebc4af4d85bbc; classtype:domain-c2; sid:2050975; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_02_20, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_02_20;)" from file /var/lib/suricata/rules/suricata.rules at line 31086

I specifically disabled HTTP(s) DNS etc … , because it this setup is not required.

volga629-1 · March 10, 2024, 2:34pm

I added more REGEX rules into disable.conf and it cleaned outstanding errors.

Than you resolved.

Topic		Replies	Views
Suricata - disable.conf seems not working Rules	2	928	July 8, 2021
Suricata-update adds commented/disabled rules to the suricata.rules Rules	8	3066	January 5, 2021
Suricata rules - Help Help	1	305	February 22, 2021
Couple of questions about suricata-update suricata-update	1	160	April 9, 2024
Suricata-update --no-merge failing Help	3	573	February 10, 2021

[RESOLVED] Suricata update rules

Related topics