Bug 12739

Summary: Core Update 162 (testing): Suricata does not load any rules at all
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Security    
Priority: Will affect most users CC: Manfred.Knick, michael.tremer, PaulV
Version: 2Keywords: Security
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=12738

Description Peter Müller 2021-12-05 14:05:39 UTC
On a machine upgraded to Core Update 162 (testing), Suricata emits these messages in /var/log/messages during startup:

Dec  5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options.
Dec  5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "%YAML 1.1" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 1
Dec  5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options.
Dec  5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "---" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 2

As mentioned in #12738, it does not log any IDS rule hit, which is why I interpret this as not having loaded any rules at all.
Comment 1 Paul Vondrasek 2021-12-05 21:13:16 UTC
I confirm the same behavior on the two systems I am testing.

The 'SURICATA STREAM' lines show in the IPS log but there are no rule hits being logged.


Using Emergingthreats,net Community Rules.
There are about a dozen lines complaining about 'dnp3' and 'modbus' in /var/log/messages of both test systems.

Dec  4 23:05:35 ipfire suricata: This is Suricata version 5.0.8 RELEASE running in SYSTEM mode
Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
Dec  4 23:05:35 ipfire suricata: all 4 packet processing threads, 2 management threads initialized, engine started.
Dec  4 23:05:35 ipfire suricata: rule reload starting
Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 7


Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 2


Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "%YAML 1.1" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 1
Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options.
Dec  4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "---" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 2
Dec  4 23:05:36 ipfire suricata: rule reload complete
Dec  4 23:05:36 ipfire suricata: Signature(s) loaded, Detect thread(s) activated.

These message show up regardless of which rules are enabled in IPS.
Comment 2 Stefan Schantl 2021-12-08 17:19:32 UTC
Fix has been send to the mailing list:

https://patchwork.ipfire.org/project/ipfire/patch/20211208171031.308639-2-stefan.schantl@ipfire.org/
Comment 4 Peter Müller 2021-12-13 13:31:41 UTC
This commit is now merged into master, hence setting to ON_QA...