Suricata isn't working properly since 20.7

[W0nderW0lf]

Hello,

I have trouble getting Suricata running on a fresh installation.

I've tried many things so far, but none helped.

No rules are loading, but you can download, enable drop and activate the rule.

The logs and tests I tried:

Code Select Expand

root@heimdall:/usr/local/etc/suricata # cat /var/log/suricata.log
Aug  6 18:07:04 heimdall suricata[46670]: [100102] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Aug  6 18:07:05 heimdall suricata[87016]: [100323] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Aug  6 18:07:05 heimdall suricata[87016]: [100323] <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
Aug  6 18:07:18 heimdall suricata[87016]: [100323] <Notice> -- Signal Received.  Stopping engine.
Aug  6 18:07:18 heimdall suricata[87016]: [100323] <Notice> -- Stats for 'igb0':  pkts: 61, drop: 0 (0.00%), invalid chksum: 0
Aug  6 18:07:18 heimdall suricata[21384]: [100212] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Aug  6 18:07:19 heimdall suricata[44602]: [100104] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Aug  6 18:07:19 heimdall suricata[44602]: [100941] <Notice> -- opened netmap:igb0/R from igb0: 0x50b46499000
Aug  6 18:07:19 heimdall suricata[44602]: [100941] <Notice> -- opened netmap:igb0^ from igb0^: 0x50b46499300
Aug  6 18:07:19 heimdall suricata[44602]: [100950] <Notice> -- opened netmap:igb0^ from igb0^: 0x50b7075b000
Aug  6 18:07:20 heimdall suricata[44602]: [100950] <Notice> -- opened netmap:igb0/T from igb0: 0x50b7075b300
Aug  6 18:07:20 heimdall suricata[44602]: [100104] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Aug  6 18:07:26 heimdall suricata[44602]: [100104] <Notice> -- rule reload starting
Aug  6 18:07:26 heimdall suricata[44602]: [100104] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Aug  6 18:07:26 heimdall suricata[44602]: [100104] <Notice> -- rule reload complete
Aug  6 18:30:45 heimdall suricata[44602]: [100104] <Notice> -- Signal Received.  Stopping engine.
Aug  6 18:30:45 heimdall suricata[44602]: [100104] <Notice> -- Stats for 'igb0':  pkts: 96840, drop: 0 (0.00%), invalid chksum: 0
Aug  6 18:30:45 heimdall suricata[44602]: [100104] <Notice> -- Stats for 'igb0^':  pkts: 95180, drop: 0 (0.00%), invalid chksum: 0
Aug  6 18:32:40 heimdall suricata[23253]: [100190] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Aug  6 18:32:41 heimdall suricata[56514]: [100179] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Aug  6 18:32:41 heimdall suricata[56514]: [100194] <Notice> -- opened netmap:igb0/R from igb0: 0x217531fc000
Aug  6 18:32:41 heimdall suricata[56514]: [100194] <Notice> -- opened netmap:igb0^ from igb0^: 0x217531fc300
Aug  6 18:32:41 heimdall suricata[56514]: [100203] <Notice> -- opened netmap:igb0^ from igb0^: 0x2177da84000
Aug  6 18:32:41 heimdall suricata[56514]: [100203] <Notice> -- opened netmap:igb0/T from igb0: 0x2177da84300
Aug  6 18:32:41 heimdall suricata[56514]: [100179] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Aug  6 19:21:22 heimdall suricata[56514]: [100179] <Notice> -- Signal Received.  Stopping engine.
Aug  6 19:21:22 heimdall suricata[56514]: [100179] <Notice> -- Stats for 'igb0':  pkts: 215473, drop: 0 (0.00%), invalid chksum: 0
Aug  6 19:21:22 heimdall suricata[56514]: [100179] <Notice> -- Stats for 'igb0^':  pkts: 208280, drop: 0 (0.00%), invalid chksum: 0
Aug  6 19:21:23 heimdall suricata[14372]: [100249] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Aug  6 19:21:23 heimdall suricata[81950]: [100174] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Aug  6 19:21:23 heimdall suricata[81950]: [100550] <Notice> -- opened netmap:igb0/R from igb0: 0x3ced0d59000
Aug  6 19:21:23 heimdall suricata[81950]: [100550] <Notice> -- opened netmap:igb0^ from igb0^: 0x3ced0d59300
Aug  6 19:21:24 heimdall suricata[81950]: [100560] <Notice> -- opened netmap:igb0^ from igb0^: 0x3cee5dfc000
Aug  6 19:21:24 heimdall suricata[81950]: [100560] <Notice> -- opened netmap:igb0/T from igb0: 0x3cee5dfc300
Aug  6 19:21:24 heimdall suricata[81950]: [100174] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Aug  6 19:34:38 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:976 uses unknown classtype: "command-and-control", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:38 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:1659 uses unknown classtype: "pup-activity", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:38 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:1814 uses unknown classtype: "coin-mining", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:38 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:2671 uses unknown classtype: "exploit-kit", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:38 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:3170 uses unknown classtype: "targeted-activity", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:38 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:3265 uses unknown classtype: "social-engineering", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:40 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:6006 uses unknown classtype: "external-ip-check", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:42 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:10583 uses unknown classtype: "domain-c2", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:34:44 heimdall suricata[69483]: [100090] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:13130 uses unknown classtype: "credential-theft", using default priority 3. This message won't be shown again for this classtype
Aug  6 19:37:38 heimdall suricata[16581]: [100255] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Aug  6 19:37:38 heimdall suricata[16581]: [100255] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Aug  6 19:37:38 heimdall suricata[16581]: [100255] <Notice> -- Configuration provided was successfully loaded. Exiting.
Aug  6 19:38:00 heimdall suricata[81950]: [100174] <Notice> -- Signal Received.  Stopping engine.
Aug  6 19:38:01 heimdall suricata[81950]: [100174] <Notice> -- Stats for 'igb0':  pkts: 6495, drop: 0 (0.00%), invalid chksum: 0
Aug  6 19:38:01 heimdall suricata[81950]: [100174] <Notice> -- Stats for 'igb0^':  pkts: 4359, drop: 0 (0.00%), invalid chksum: 0
Aug  6 19:38:01 heimdall suricata[74128]: [100218] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
Aug  6 19:38:01 heimdall suricata[34577]: [100118] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Aug  6 19:38:02 heimdall suricata[34577]: [100712] <Notice> -- opened netmap:igb0/R from igb0: 0x7439affd000
Aug  6 19:38:02 heimdall suricata[34577]: [100712] <Notice> -- opened netmap:igb0^ from igb0^: 0x7439affd300
Aug  6 19:38:02 heimdall suricata[34577]: [100723] <Notice> -- opened netmap:igb0^ from igb0^: 0x743c5861000
Aug  6 19:38:02 heimdall suricata[34577]: [100723] <Notice> -- opened netmap:igb0/T from igb0: 0x743c5861300
Aug  6 19:38:02 heimdall suricata[34577]: [100118] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Aug  6 19:40:15 heimdall suricata[34577]: [100118] <Notice> -- Signal Received.  Stopping engine.
Aug  6 19:40:16 heimdall suricata[34577]: [100118] <Notice> -- Stats for 'igb0':  pkts: 879, drop: 0 (0.00%), invalid chksum: 0
Aug  6 19:40:16 heimdall suricata[34577]: [100118] <Notice> -- Stats for 'igb0^':  pkts: 884, drop: 0 (0.00%), invalid chksum: 0
CLOG�"��root@heimdall:/usr/local/etc/suricata # ps aux | grep suricata
root    53887   0.0  0.0 1060980   3200  0  R+   20:01    0:00.00 grep suricata


Code Select Expand

root@heimdall:/usr/local/etc/suricata # suricata -T
6/8/2020 -- 20:04:02 - <Info> - Running suricata under test mode
6/8/2020 -- 20:04:02 - <Info> - Including configuration file installed_rules.yaml.
6/8/2020 -- 20:04:02 - <Info> - Configuration node 'rule-files' redefined.
6/8/2020 -- 20:04:02 - <Info> - Including configuration file custom.yaml.
root@heimdall:/usr/local/etc/suricata #

I reinstalled suricata, removed the yaml. Stopped the service and tried to activate the rules that way ... nothin... Its unable to Load the rules....

[FullyBorked]

Of all the problems I've had with 20.7 getting rules loaded isn't one of them.  Did you do the "download and update rules" on the download tab?  I don't think simply enabling actually does anything until they are downloaded. 

[mimugmail]

Did you also enable the rules?