Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata stops after 10 seconds

    IDS/IPS
    2
    2
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nikkon
      last edited by

      Hi all,

      For some reason i'm not able to find out Suricata is not able to start.
      PFsense 2.3_1
      x86 full install
      Suricata v. 3.0_7

      I used it on WAN interface which is PPPoE.The log looks like this:
      30/5/2016 – 20:51:35 - <notice>-- This is Suricata version 3.0 RELEASE
      30/5/2016 -- 20:51:35 - <info>-- CPUs/cores online: 8
      30/5/2016 -- 20:51:35 - <info>-- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
      30/5/2016 -- 20:51:35 - <info>-- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
      30/5/2016 -- 20:51:35 - <info>-- HTTP memcap: 67108864
      30/5/2016 -- 20:51:35 - <info>-- DNS request flood protection level: 500
      30/5/2016 -- 20:51:35 - <info>-- DNS per flow memcap (state-memcap): 524288
      30/5/2016 -- 20:51:35 - <info>-- DNS global memcap: 16777216
      30/5/2016 -- 20:51:35 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
      30/5/2016 -- 20:51:35 - <info>-- preallocated 65535 defrag trackers of size 136
      30/5/2016 -- 20:51:35 - <info>-- defrag memory usage: 10485624 bytes, maximum: 33554432
      30/5/2016 -- 20:51:35 - <info>-- AutoFP mode using "Active Packets" flow load balancer
      30/5/2016 -- 20:51:35 - <info>-- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
      30/5/2016 -- 20:51:35 - <info>-- preallocated 1000 hosts of size 104
      30/5/2016 -- 20:51:35 - <info>-- host memory usage: 366144 bytes, maximum: 16777216
      30/5/2016 -- 20:51:35 - <info>-- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
      30/5/2016 -- 20:51:35 - <info>-- preallocated 10000 flows of size 256
      30/5/2016 -- 20:51:35 - <info>-- flow memory usage: 6754304 bytes, maximum: 33554432
      30/5/2016 -- 20:51:35 - <info>-- stream "prealloc-sessions": 32768 (per thread)
      30/5/2016 -- 20:51:35 - <info>-- stream "memcap": 67108864
      30/5/2016 -- 20:51:35 - <info>-- stream "midstream" session pickups: disabled
      30/5/2016 -- 20:51:35 - <info>-- stream "async-oneside": disabled
      30/5/2016 -- 20:51:35 - <info>-- stream "checksum-validation": disabled
      30/5/2016 -- 20:51:35 - <info>-- stream."inline": disabled
      30/5/2016 -- 20:51:35 - <info>-- stream "max-synack-queued": 5
      30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "memcap": 67108864
      30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "depth": 0
      30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "toserver-chunk-size": 2560
      30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "toclient-chunk-size": 2596
      30/5/2016 -- 20:51:35 - <info>-- stream.reassembly.raw: enabled
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 4, prealloc 256
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 16, prealloc 512
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 112, prealloc 512
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 248, prealloc 512
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 512, prealloc 512
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 768, prealloc 1024
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 1448, prealloc 1024
      30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 65535, prealloc 128
      30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "chunk-prealloc": 250
      30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "zero-copy-size": 128
      30/5/2016 -- 20:51:35 - <info>-- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
      30/5/2016 -- 20:51:35 - <info>-- preallocated 1000 ippairs of size 104
      30/5/2016 -- 20:51:35 - <info>-- ippair memory usage: 366144 bytes, maximum: 16777216
      30/5/2016 -- 20:51:35 - <info>-- using magic-file /usr/share/misc/magic
      30/5/2016 -- 20:51:35 - <info>-- Delayed detect disabled
      30/5/2016 -- 20:51:35 - <info>-- IP reputation disabled
      30/5/2016 -- 20:51:35 - <info>-- Loading rule file: /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules
      30/5/2016 -- 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 70
      30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
      30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 103
      30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
      30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/.jpg\x20HTTP/1.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 138
      30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 196
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 300
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 301
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 307
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 425
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: /|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 429
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 614
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 615
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 660
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 665
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; http_client_body; content:"&admin="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&hid="; distance:0; http_client_body; content:"&arc="; distance:0; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 792
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
      30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 793
      30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified.  The right options are (string, hex), (string, oct) or (string, dec)
      30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_server,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"]span\s=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36007; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 20126
      30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified.  The right options are (string, hex), (string, oct) or (string, dec)
      30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_client,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"]span\s=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36006; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 20127
      30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
      30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>

      pfsense 2.3.4 on Supermicro A1SRi-2758F + 8GB ECC + SSD

      Happy PfSense user :)

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Do a quick search through this forum and you will find the solution.  You need to increase the STREAM memory settings.  Off the top of my head I don't recall the exact parameter.  Search for this error either here or on Google to find the exact parameter to tweak:

        
[ERRCODE: SC_ERR_POOL_INIT(66)]

        All those other errors are caused by running Snort VRT rules on Suricata.  There are many Snort VRT rules that Suricata will not digest and will discard and not use because they contain unsupported rule options.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.