Suricata stops after 10 seconds
-
Hi all,
For some reason i'm not able to find out Suricata is not able to start.
PFsense 2.3_1
x86 full install
Suricata v. 3.0_7I used it on WAN interface which is PPPoE.The log looks like this:
30/5/2016 – 20:51:35 - <notice>-- This is Suricata version 3.0 RELEASE
30/5/2016 -- 20:51:35 - <info>-- CPUs/cores online: 8
30/5/2016 -- 20:51:35 - <info>-- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
30/5/2016 -- 20:51:35 - <info>-- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
30/5/2016 -- 20:51:35 - <info>-- HTTP memcap: 67108864
30/5/2016 -- 20:51:35 - <info>-- DNS request flood protection level: 500
30/5/2016 -- 20:51:35 - <info>-- DNS per flow memcap (state-memcap): 524288
30/5/2016 -- 20:51:35 - <info>-- DNS global memcap: 16777216
30/5/2016 -- 20:51:35 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
30/5/2016 -- 20:51:35 - <info>-- preallocated 65535 defrag trackers of size 136
30/5/2016 -- 20:51:35 - <info>-- defrag memory usage: 10485624 bytes, maximum: 33554432
30/5/2016 -- 20:51:35 - <info>-- AutoFP mode using "Active Packets" flow load balancer
30/5/2016 -- 20:51:35 - <info>-- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
30/5/2016 -- 20:51:35 - <info>-- preallocated 1000 hosts of size 104
30/5/2016 -- 20:51:35 - <info>-- host memory usage: 366144 bytes, maximum: 16777216
30/5/2016 -- 20:51:35 - <info>-- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
30/5/2016 -- 20:51:35 - <info>-- preallocated 10000 flows of size 256
30/5/2016 -- 20:51:35 - <info>-- flow memory usage: 6754304 bytes, maximum: 33554432
30/5/2016 -- 20:51:35 - <info>-- stream "prealloc-sessions": 32768 (per thread)
30/5/2016 -- 20:51:35 - <info>-- stream "memcap": 67108864
30/5/2016 -- 20:51:35 - <info>-- stream "midstream" session pickups: disabled
30/5/2016 -- 20:51:35 - <info>-- stream "async-oneside": disabled
30/5/2016 -- 20:51:35 - <info>-- stream "checksum-validation": disabled
30/5/2016 -- 20:51:35 - <info>-- stream."inline": disabled
30/5/2016 -- 20:51:35 - <info>-- stream "max-synack-queued": 5
30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "memcap": 67108864
30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "depth": 0
30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "toserver-chunk-size": 2560
30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "toclient-chunk-size": 2596
30/5/2016 -- 20:51:35 - <info>-- stream.reassembly.raw: enabled
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 4, prealloc 256
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 16, prealloc 512
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 112, prealloc 512
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 248, prealloc 512
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 512, prealloc 512
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 768, prealloc 1024
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 1448, prealloc 1024
30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 65535, prealloc 128
30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "chunk-prealloc": 250
30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "zero-copy-size": 128
30/5/2016 -- 20:51:35 - <info>-- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
30/5/2016 -- 20:51:35 - <info>-- preallocated 1000 ippairs of size 104
30/5/2016 -- 20:51:35 - <info>-- ippair memory usage: 366144 bytes, maximum: 16777216
30/5/2016 -- 20:51:35 - <info>-- using magic-file /usr/share/misc/magic
30/5/2016 -- 20:51:35 - <info>-- Delayed detect disabled
30/5/2016 -- 20:51:35 - <info>-- IP reputation disabled
30/5/2016 -- 20:51:35 - <info>-- Loading rule file: /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules
30/5/2016 -- 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 70
30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 103
30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/.jpg\x20HTTP/1.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 138
30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 196
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 300
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 301
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 307
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 425
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: /|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 429
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 614
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 615
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 660
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 665
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; http_client_body; content:"&admin="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&hid="; distance:0; http_client_body; content:"&arc="; distance:0; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 792
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 793
30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified. The right options are (string, hex), (string, oct) or (string, dec)
30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_server,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"]span\s=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36007; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 20126
30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified. The right options are (string, hex), (string, oct) or (string, dec)
30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_client,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"]span\s=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36006; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 20127
30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice> -
Do a quick search through this forum and you will find the solution. You need to increase the STREAM memory settings. Off the top of my head I don't recall the exact parameter. Search for this error either here or on Google to find the exact parameter to tweak:
[ERRCODE: SC_ERR_POOL_INIT(66)]
All those other errors are caused by running Snort VRT rules on Suricata. There are many Snort VRT rules that Suricata will not digest and will discard and not use because they contain unsupported rule options.
Bill