Unknown rule keyword 'flow.bytes_toserver'

Hey, I am starting out with suricata and installed the latest version 7.0.5 on ubuntu.
I have enabled a few rule sets with suricata-update.

However running sudo suricata-update ended up in an error.

4/4/2024 -- 08:12:51 - <Info> -- Testing with suricata -T.
24/4/2024 -- 08:12:52 - <Error> -- unknown rule keyword 'flow.bytes_toserver'.
24/4/2024 -- 08:12:52 - <Error> -- error parsing signature "alert ssh any any -> $EXTERNAL_NET any (msg:"๐Ÿพ - ๐Ÿšจ Over 10MB uploaded via SSH / SFTP to public IP address - Possible data exflitration ๐Ÿšฑ"; flow:to_server, established; threshold: type limit, track by_src,count 1, seconds 60; flow.bytes_toserver:>=10000000; metadata:created_at 2024_02_18, updated_at 2024_02_18; sid:3301136; rev:2; classtype:policy-violation;)" from file /var/lib/suricata/rules/suricata.rules at line 8967
24/4/2024 -- 08:12:52 - <Error> -- unknown rule keyword 'flow.bytes_toserver'.
24/4/2024 -- 08:12:52 - <Error> -- error parsing signature "alert ssh any any -> $EXTERNAL_NET any (msg:"๐Ÿพ - ๐Ÿšจ Over 100MB uploaded via SSH / SFTP to public IP address - Possible data exflitration ๐Ÿšฑ"; flow:to_server, established; threshold: type limit, track by_src,count 1, seconds 60; flow.bytes_toserver:>=100000000; metadata:created_at 2024_02_18, updated_at 2024_02_18; sid:3301137; rev:1; classtype:policy-violation;)" from file /var/lib/suricata/rules/suricata.rules at line 8968
24/4/2024 -- 08:12:52 - <Error> -- unknown rule keyword 'flow.bytes_toserver'.
24/4/2024 -- 08:12:52 - <Error> -- error parsing signature "alert ssh any any -> $EXTERNAL_NET any (msg:"๐Ÿพ - ๐Ÿšจ Over 50MB uploaded via SSH / SFTP to public IP address - Possible data exflitration ๐Ÿšฑ"; flow:to_server, established; threshold: type limit, track by_src,count 1, seconds 60; flow.bytes_toserver:>=50000000; metadata:created_at 2024_02_18, updated_at 2024_02_18; sid:3301138; rev:1; classtype:policy-violation;)" from file /var/lib/suricata/rules/suricata.rules at line 8969
24/4/2024 -- 08:13:10 - <Error> -- Loading signatures failed.
24/4/2024 -- 08:13:10 - <Error> -- Suricata test failed, aborting.
24/4/2024 -- 08:13:10 - <Error> -- Restoring previous rules.

I think this is related to the pawpatrules source.

Reproduction:

  • sudo suricata-update update-sources
  • sudo suricata-update enable-source pawpatrules
  • sudo suricata-update

AFAICS this keyword is not available in Suricata 7. It would probably make sense to let the rule source know that this could be an issue.

1 Like

Oh I see. That makes sense now. Because I checked the config suricata-intel-index/index.yaml at master ยท OISF/suricata-intel-index ยท GitHub

And it is set to min-version: 6.

Sorry about this. Iโ€™ve updated the min-version to 7.0.3 as pawpatrules is now using our requires keyword to guard these rules using 8.0 features without breaking 7.0 installations.