Unknown rule keyword 'flow.bytes_toserver'

apertureless · April 24, 2024, 8:23am

Hey, I am starting out with suricata and installed the latest version 7.0.5 on ubuntu.
I have enabled a few rule sets with suricata-update.

However running sudo suricata-update ended up in an error.

4/4/2024 -- 08:12:51 - <Info> -- Testing with suricata -T.
24/4/2024 -- 08:12:52 - <Error> -- unknown rule keyword 'flow.bytes_toserver'.
24/4/2024 -- 08:12:52 - <Error> -- error parsing signature "alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Over 10MB uploaded via SSH / SFTP to public IP address - Possible data exflitration 🚱"; flow:to_server, established; threshold: type limit, track by_src,count 1, seconds 60; flow.bytes_toserver:>=10000000; metadata:created_at 2024_02_18, updated_at 2024_02_18; sid:3301136; rev:2; classtype:policy-violation;)" from file /var/lib/suricata/rules/suricata.rules at line 8967
24/4/2024 -- 08:12:52 - <Error> -- unknown rule keyword 'flow.bytes_toserver'.
24/4/2024 -- 08:12:52 - <Error> -- error parsing signature "alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Over 100MB uploaded via SSH / SFTP to public IP address - Possible data exflitration 🚱"; flow:to_server, established; threshold: type limit, track by_src,count 1, seconds 60; flow.bytes_toserver:>=100000000; metadata:created_at 2024_02_18, updated_at 2024_02_18; sid:3301137; rev:1; classtype:policy-violation;)" from file /var/lib/suricata/rules/suricata.rules at line 8968
24/4/2024 -- 08:12:52 - <Error> -- unknown rule keyword 'flow.bytes_toserver'.
24/4/2024 -- 08:12:52 - <Error> -- error parsing signature "alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Over 50MB uploaded via SSH / SFTP to public IP address - Possible data exflitration 🚱"; flow:to_server, established; threshold: type limit, track by_src,count 1, seconds 60; flow.bytes_toserver:>=50000000; metadata:created_at 2024_02_18, updated_at 2024_02_18; sid:3301138; rev:1; classtype:policy-violation;)" from file /var/lib/suricata/rules/suricata.rules at line 8969
24/4/2024 -- 08:13:10 - <Error> -- Loading signatures failed.
24/4/2024 -- 08:13:10 - <Error> -- Suricata test failed, aborting.
24/4/2024 -- 08:13:10 - <Error> -- Restoring previous rules.

I think this is related to the pawpatrules source.

Reproduction:

sudo suricata-update update-sources
sudo suricata-update enable-source pawpatrules
sudo suricata-update

satta · April 24, 2024, 8:55am

AFAICS this keyword is not available in Suricata 7. It would probably make sense to let the rule source know that this could be an issue.

apertureless · April 24, 2024, 9:02am

Oh I see. That makes sense now. Because I checked the config suricata-intel-index/index.yaml at master · OISF/suricata-intel-index · GitHub

And it is set to min-version: 6.

ish · May 2, 2024, 6:11pm

Sorry about this. I’ve updated the min-version to 7.0.3 as pawpatrules is now using our requires keyword to guard these rules using 8.0 features without breaking 7.0 installations.

Topic		Replies	Views
Unknown rule keyword 'flow.pkts_toclient' Help rules	2	275	February 6, 2024
Suricata flow keyword causing cpu/mem overload Help	3	513	January 17, 2023
Difference in rule action when using "!" in destination IP field Help	2	188	November 15, 2023
June's webinar: Adding new rule keywords to Suricata: Live coding session Announcements webinar	3	764	June 20, 2023
Tls_state keyword unsupported Rules rules	3	97	June 20, 2024

Unknown rule keyword 'flow.bytes_toserver'

Related topics