On a machine upgraded to Core Update 162 (testing), Suricata emits these messages in /var/log/messages during startup: Dec 5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options. Dec 5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "%YAML 1.1" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 1 Dec 5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options. Dec 5 03:17:45 maverick suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "---" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 2 As mentioned in #12738, it does not log any IDS rule hit, which is why I interpret this as not having loaded any rules at all.
I confirm the same behavior on the two systems I am testing. The 'SURICATA STREAM' lines show in the IPS log but there are no rule hits being logged. Using Emergingthreats,net Community Rules. There are about a dozen lines complaining about 'dnp3' and 'modbus' in /var/log/messages of both test systems. Dec 4 23:05:35 ipfire suricata: This is Suricata version 5.0.8 RELEASE running in SYSTEM mode Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active Dec 4 23:05:35 ipfire suricata: all 4 packet processing threads, 2 management threads initialized, engine started. Dec 4 23:05:35 ipfire suricata: rule reload starting Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 7 Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 2 Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "%YAML 1.1" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 1 Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options. Dec 4 23:05:35 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "---" from file /var/ipfire/suricata/suricata-used-rulefiles.yaml at line 2 Dec 4 23:05:36 ipfire suricata: rule reload complete Dec 4 23:05:36 ipfire suricata: Signature(s) loaded, Detect thread(s) activated. These message show up regardless of which rules are enabled in IPS.
Fix has been send to the mailing list: https://patchwork.ipfire.org/project/ipfire/patch/20211208171031.308639-2-stefan.schantl@ipfire.org/
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=74070fe153775dbe975e77fa54f0a9733cea8e50
This commit is now merged into master, hence setting to ON_QA...
https://blog.ipfire.org/post/ipfire-2-27-core-update-162-released