After upgrade to pf+ 23.09 Surricata says it's starting but..
-
@Bob-Dig I tried starting manually, was a NO-GO
-
@Euman Running here in legacy mode on a x86 VM without problems.
-
@Euman I don't have any problem with Suricata, running on a white box with Intel
Atom C3558 same as 6100 -
N NRgia referenced this topic on
-
Are you guys having Suricata 7 startup issues runing with Legacy Blocking Mode or Inline IPS Mode enabled?
I see at least one of you appears to have Suricata enabled on a PPPoE interface. Inline IPS Mode will most definitely not work on that interface. Also looks like for one of you there is more than one Suricata instance enabled on the box (PPPoE on WAN, I assume, and another instance on an internal
igb0interface).A core dump is obviously a serious issue, and when the Suricata binary daemon crashes like that it will leave behind the stale PID file it complains about on the next startup attempt. Those files will be in
/var/run/on the firewall. Delete any Suricata PID files you find there if having startup problems.But if you continue getting core dumps, that is something much more serious than a dangling PID file. This new package version contains the latest upstream binary from the 7.x Suricata branch. It's entirely possible there is something with your hardware or current configuration that Suricata 7 does not play well with. There are users reporting no problems updating to and running the new packge version, so this failure to start does not appear to be a widespread issue. Also, this version has been running and available in the 23.09 snapshot development branch for quite some time with no reported issues.
-
Legacy mode
Netgate SG-4860 hardware with igb interfaces
I just tried running it on the LAN interface and it still core dumped.
-
@NogBadTheBad said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
Legacy mode
Netgate SG-4860 hardware with igb interfaces
I just tried running it on the LAN interface and it still core dumped.
Don't know how I can help you. I do not have an SG-4860 to test on. I also have nothing with a PPPoE interface configured.
Unfortunately for you there is no way to go back to Suricata 6.x unless you rollback your firewall to 23.05.1. That's not a long-term solution as that pfSense version will eventually go EOL with no support.
But to be honest, I would abandon using an IDS/IPS unless you also have MITM encryption interception enabled and working. The IDS/IPS is blind to the vast majority of traffic traversing a firewall these days. I no longer run any IDS/IPS package on my personal system for that very reason. I have only a couple of testing virtual machines for maintaining/testing the Suricata and Snort packages.
But if you want to run Suricata, then you will need different hardware it seems; or else rollback to the older pfSense Plus and hope something happens upstream in Suricata to produce a future fix. But if the core dump problem is not widespread, then it likely won't get identifed and/or fixed upstream.
-
@bmeeks it’s a standard intel processor if I’m having issues I’m sure other people will too, perhaps I need to go back to snort.
Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
4 CPUs : 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)
IPsec-MB Crypto: Yes (inactive)
QAT Crypto: Yes (active)Is it not possible to have the two versions available?
-
@bmeeks I run a mixed mode setup.. Wan is IPS a couple Lan's are IDS legacy
I do hope someone with the equipment and knowledge can figure this out.. a few of us really are stuck owning netgate hardware.
-
@Euman said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
I do hope someone with the equipment and knowledge can figure this out.. a few of us really are stuck owning netgate hardware.
You have the equipment and likely as much basic knowledge of what's wrong as anyone else at the moment.
-
Start by simplifying your setup. Turn off all blocking, save the changes, then attempt to start Suricata.
-
If that fails, save a
config.xmlbackup and then uncheck the "save settings" option in Suricata (on the GLOBAL SETTINGS tab) and remove the package under SYSTEM > PACKAGE MANAGER. -
Start over with a clean slate: no blocking and a default configuration. See if Suricata starts and runs then.
-
Next, add your rules archives back (or some of them), update the rules, enable a few, and see if you can still start and run Suricata.
-
Somewhere in the above chain you might stumble upon the "where it breaks" point. If not, then restore you previous
config.xml(just the PACKAGES portion) to bring back the original Suricata settings. See what happens then when starting.
If it works fine with a clean slate, then you will know it's something in your configuration. If it fails to start with a nearly blank default setup, then it's some hardware issue (unlikely, but not impossible).
-
-
N NollipfSense referenced this topic on
-
@bmeeks This issue is resolved after completely removing any existing configuration, removing the surricata pkg, rebooting the router, reinstalling surricata and setting up a new configuration.
unsure why we'd have to iron-fist the pkg and configuration however..
Kind Regard
-
@Euman said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
unsure why we'd have to iron-fist the pkg and configuration however..
Because among the thousands of users of the package there are countless variations in the configurations. Also countless variations in the hardware the package is being run on. That means there are lots of places for something to get sideways. There is no physical way to test all those differences. I can only test on what hardware and configurations I have personally. This is a volunteer created and maintained package. No relation to Netgate at all.
In my many years of maintaining the Snort and Suricata packages I've seen users do some mighty weird things in their configurations - usually by operating under invalid assumptions and making configuration decisions from those faulty assumptions. That might have been your issue, or it may simply have been a random cosmic ray from space altered some RAM cell value
.Take the fact pfSense runs perfectly fine for the vast majority of users, and they easily apply each incremental upgrade without a single hitch. I've never once experienced a single problem updating my pfSense firewalls all the way back to the 1.x RC series. But a handful of others post here with problem after problem with almost each and every pfSense update. Who knows why they have issues???
-
@bmeeks I appreciate everyones help
non-netgate hardware pfsense users aren't getting:
-> Default optimized configurations for Netgate hardware appliancesCould it be the single reason in this case?.. pf+ is a different beast!
Didn't intend a flame war.
-
@Euman said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
@bmeeks I appreciate everyones help
non-netgate hardware pfsense users aren't getting:
-> Default optimized configurations for Netgate hardware appliancesCould it be the single reason in this case?.. pf+ is a different beast!
Didn't intend a flame war.
No flaming implied
.I will admit it has become increasingly difficult to create and test both the Snort and Suricata packages now as all I have for test platforms are CE environments. I have an SG-5100 for my personal network, but it's production and I install no packages on it. And no, I no longer run any IDS/IPS on my personal firewall and have not for more than three years due to the reasons I stated up above in a previous post in this thread.
-
@Euman said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
@bmeeks I appreciate everyones help
non-netgate hardware pfsense users aren't getting:
-> Default optimized configurations for Netgate hardware appliancesCould it be the single reason in this case?.. pf+ is a different beast!
Didn't intend a flame war.
How can Netgate or any other company can deliver "optimized configurations" for infinite combinations of hardware setups? I run a pfSense+ on a whitebox myself, and I have to optimize it myself, or I ask the devs here.
-
I get the following output in my system log when starting the service...
Nov 7 10:13:35 suricata 71053 [1:2402000:6815] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 205.210.31.242:55579 -> <WAN_IP>:1801 Nov 7 10:12:58 suricata 71053 [1:2403340:87375] ET CINS Active Threat Intelligence Poor Reputation IP group 41 [Classification: Misc Attack] [Priority: 2] {TCP} 45.128.232.125:35015 -> <WAN_IP>:8080 Nov 7 10:12:50 suricata 71053 [1:2402000:6815] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 94.102.61.41:34113 -> <WAN_IP>:2061 Nov 7 10:12:44 suricata 71053 [1:2403331:87375] ET CINS Active Threat Intelligence Poor Reputation IP group 32 [Classification: Misc Attack] [Priority: 2] {TCP} 37.44.238.75:60918 -> <WAN_IP>:8728 Nov 7 10:12:23 suricata 71053 [1:2402000:6815] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 77.90.185.163:50733 -> <WAN_IP>:11972 Nov 7 10:11:38 suricata 71053 [101246] <Notice> -- Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. Nov 7 10:11:38 kernel ix0: promiscuous mode enabled Nov 7 10:11:24 suricata 53757 [100484] <Notice> -- ix0: packets: 0, drops: 0 (0.00%), invalid chksum: 0 Nov 7 10:11:23 kernel ix0: promiscuous mode disabled Nov 7 10:11:22 suricata 53757 [100484] <Notice> -- Signal Received. Stopping engine. Nov 7 10:11:22 suricata 53757 [100484] <Notice> -- Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. Nov 7 10:11:22 kernel ix0: promiscuous mode enabled Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs Nov 7 10:10:56 suricata 71027 [101073] <Notice> -- This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Nov 7 10:10:56 php 66796 [Suricata] Suricata START for WAN(ix0)... Nov 7 10:10:56 php 66796 [Suricata] Building new sid-msg.map file for WAN... Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'lp.cascade' is checked but not set. Checked in 4144 and 0 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs Nov 7 10:10:56 php 66796 [Suricata] Enabling any flowbit-required rules for: WAN... Nov 7 10:10:56 suricata 53757 [100484] <Error> -- error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"SERVER-OTHER SaltStack wheel directory traversal attempt"; flow:to_server" from file /usr/local/etc/suricata/suricata_43800_ix0/rules/suricata.rules at line 45049 Nov 7 10:10:56 suricata 53757 [100484] <Error> -- no terminating ";" found Nov 7 10:10:55 php 66796 [Suricata] Updating rules configuration for: WAN ... Nov 7 10:10:45 php-fpm 419 [Suricata] Suricata STOP for WAN(ix0)... Nov 7 10:10:45 php-fpm 419 Restarting Suricata on WAN(ix0) per user request... Nov 7 10:10:41 suricata 53681 [101163] <Notice> -- This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Nov 7 10:10:41 php 49248 [Suricata] Suricata START for WAN(ix0)... Nov 7 10:10:41 php 49248 [Suricata] Building new sid-msg.map file for WAN... Nov 7 10:10:41 php 49248 [Suricata] Enabling any flowbit-required rules for: WAN... Nov 7 10:10:40 php 49248 [Suricata] Updating rules configuration for: WAN ... Nov 7 10:10:40 php-fpm 24588 Starting Suricata on WAN(ix0) per user request...I don't know why but it apparently signals to disable promiscuous mode and then enable it 15 seconds later.
My service status dashboard shows suricata running but when I go to Services >Suricata, under Interfaces, the Suricata status is stopped on WAN. However, I do have alerts updating and active blocks.
so it is running but something is wrong with the monitor on the services page?
-
@frunkAF said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
I get the following output in my system log when starting the service...
Nov 7 10:13:35 suricata 71053 [1:2402000:6815] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 205.210.31.242:55579 -> <WAN_IP>:1801 Nov 7 10:12:58 suricata 71053 [1:2403340:87375] ET CINS Active Threat Intelligence Poor Reputation IP group 41 [Classification: Misc Attack] [Priority: 2] {TCP} 45.128.232.125:35015 -> <WAN_IP>:8080 Nov 7 10:12:50 suricata 71053 [1:2402000:6815] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 94.102.61.41:34113 -> <WAN_IP>:2061 Nov 7 10:12:44 suricata 71053 [1:2403331:87375] ET CINS Active Threat Intelligence Poor Reputation IP group 32 [Classification: Misc Attack] [Priority: 2] {TCP} 37.44.238.75:60918 -> <WAN_IP>:8728 Nov 7 10:12:23 suricata 71053 [1:2402000:6815] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 77.90.185.163:50733 -> <WAN_IP>:11972 Nov 7 10:11:38 suricata 71053 [101246] <Notice> -- Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. Nov 7 10:11:38 kernel ix0: promiscuous mode enabled Nov 7 10:11:24 suricata 53757 [100484] <Notice> -- ix0: packets: 0, drops: 0 (0.00%), invalid chksum: 0 Nov 7 10:11:23 kernel ix0: promiscuous mode disabled Nov 7 10:11:22 suricata 53757 [100484] <Notice> -- Signal Received. Stopping engine. Nov 7 10:11:22 suricata 53757 [100484] <Notice> -- Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. Nov 7 10:11:22 kernel ix0: promiscuous mode enabled Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs Nov 7 10:11:12 suricata 71053 [101246] <Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs Nov 7 10:10:56 suricata 71027 [101073] <Notice> -- This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Nov 7 10:10:56 php 66796 [Suricata] Suricata START for WAN(ix0)... Nov 7 10:10:56 php 66796 [Suricata] Building new sid-msg.map file for WAN... Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'lp.cascade' is checked but not set. Checked in 4144 and 0 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs Nov 7 10:10:56 suricata 53757 [100484] <Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs Nov 7 10:10:56 php 66796 [Suricata] Enabling any flowbit-required rules for: WAN... Nov 7 10:10:56 suricata 53757 [100484] <Error> -- error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"SERVER-OTHER SaltStack wheel directory traversal attempt"; flow:to_server" from file /usr/local/etc/suricata/suricata_43800_ix0/rules/suricata.rules at line 45049 Nov 7 10:10:56 suricata 53757 [100484] <Error> -- no terminating ";" found Nov 7 10:10:55 php 66796 [Suricata] Updating rules configuration for: WAN ... Nov 7 10:10:45 php-fpm 419 [Suricata] Suricata STOP for WAN(ix0)... Nov 7 10:10:45 php-fpm 419 Restarting Suricata on WAN(ix0) per user request... Nov 7 10:10:41 suricata 53681 [101163] <Notice> -- This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Nov 7 10:10:41 php 49248 [Suricata] Suricata START for WAN(ix0)... Nov 7 10:10:41 php 49248 [Suricata] Building new sid-msg.map file for WAN... Nov 7 10:10:41 php 49248 [Suricata] Enabling any flowbit-required rules for: WAN... Nov 7 10:10:40 php 49248 [Suricata] Updating rules configuration for: WAN ... Nov 7 10:10:40 php-fpm 24588 Starting Suricata on WAN(ix0) per user request...I don't know why but it apparently signals to disable promiscuous mode and then enable it 15 seconds later.
My service status dashboard shows suricata running but when I go to Services >Suricata, under Interfaces, the Suricata status is stopped on WAN. However, I do have alerts updating and active blocks.
so it is running but something is wrong with the monitor on the services page?
Nov 7 11:38:09 kernel ix0: promiscuous mode disabled Nov 7 11:38:09 suricata 60294 [105868] <Error> -- Hyperscan returned fatal error -1. Nov 7 11:37:58 suricata 60294 [104798] <Notice> -- Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. Nov 7 11:37:58 kernel ix0: promiscuous mode enabled Nov 7 11:37:32 suricata 60294 [104798] <Warning> -- flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs Nov 7 11:37:32 suricata 60294 [104798] <Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs Nov 7 11:37:32 suricata 60294 [104798] <Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs Nov 7 11:37:32 suricata 60294 [104798] <Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs Nov 7 11:37:17 suricata 59956 [100475] <Notice> -- This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Nov 7 11:37:17 php 56276 [Suricata] Suricata START for WAN(ix0)... Nov 7 11:37:17 php 56276 [Suricata] Building new sid-msg.map file for WAN... Nov 7 11:37:17 php 56276 [Suricata] Enabling any flowbit-required rules for: WAN... Nov 7 11:37:16 php 56276 [Suricata] Updating rules configuration for: WAN ... Nov 7 11:37:16 php-fpm 24588 Starting Suricata on WAN(ix0) per user request...Whatever '<Error> -- Hyperscan returned fatal error -1.' is seems to be the issue?
-
@frunkAF said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
Whatever '<Error> -- Hyperscan returned fatal error -1.' is seems to be the issue?
Yes. What kind of hardware are you using? Specifically, what is the CPU type and architecture?
Hyperscan is enabled by default in the build options for pfSense. In the past it has not been an issue. There is an outside chance that the hyperscan library is not correct on your system following the update. But that's just one guess.
I would start by removing the package, rebooting the firewall, and then installing the package again to be sure it pulls down all the correct shared libraries. Netgate experienced a prolonged outage at their primary data center last night according to a post elsewhere on the forum. It may be you were affected by that depending on where you are located in the world and how "day time working hours" at your location corresponded to the overnight Netgate network outage.
-
@frunkAF How are you getting these detailed logs? When I look at suricata.log, it's quite sparse even with verbose logging enabled. Same for the system log:
2023-11-07 14:46:10.910729-05:00 php-fpm 555 Starting Suricata on DMZ(hn5) per user request... 2023-11-07 14:46:11.031247-05:00 php 34566 [Suricata] Updating rules configuration for: DMZ ... 2023-11-07 14:46:11.747641-05:00 php 34566 [Suricata] Enabling any flowbit-required rules for: DMZ... 2023-11-07 14:46:11.786034-05:00 php 34566 [Suricata] Building new sid-msg.map file for DMZ... 2023-11-07 14:46:14.228814-05:00 php 34566 [Suricata] Suricata START for DMZ(hn5)... 2023-11-07 14:46:15.909440-05:00 kernel - pid 40984 (suricata), jid 0, uid 0: exited on signal 11 (core dumped) -
@xpxp2002 said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
@frunkAF How are you getting these detailed logs? When I look at suricata.log, it's quite sparse even with verbose logging enabled. Same for the system log:
2023-11-07 14:46:10.910729-05:00 php-fpm 555 Starting Suricata on DMZ(hn5) per user request... 2023-11-07 14:46:11.031247-05:00 php 34566 [Suricata] Updating rules configuration for: DMZ ... 2023-11-07 14:46:11.747641-05:00 php 34566 [Suricata] Enabling any flowbit-required rules for: DMZ... 2023-11-07 14:46:11.786034-05:00 php 34566 [Suricata] Building new sid-msg.map file for DMZ... 2023-11-07 14:46:14.228814-05:00 php 34566 [Suricata] Suricata START for DMZ(hn5)... 2023-11-07 14:46:15.909440-05:00 kernel - pid 40984 (suricata), jid 0, uid 0: exited on signal 11 (core dumped)Different kinds of information are logged in
suricata.logversus the system log. The Suricata package has two separate components: (1) a binary daemon that is compiled from upstream source code; and (2) a PHP-based GUI package that runs on the pfSense operating system.The PHP code logs things it does to the pfSense system log. The binary Suricata daemon logs its activity mostly to the
suricata.log(but will also log some things to the pfSense system log). -
@bmeeks said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
@frunkAF said in After upgrade to pf+ 23.09 Surricata says it's starting but..:
Whatever '<Error> -- Hyperscan returned fatal error -1.' is seems to be the issue?
Yes. What kind of hardware are you using? Specifically, what is the CPU type and architecture?
Hyperscan is enabled by default in the build options for pfSense. In the past it has not been an issue. There is an outside chance that the hyperscan library is not correct on your system following the update. But that's just one guess.
I would start by removing the package, rebooting the firewall, and then installing the package again to be sure it pulls down all the correct shared libraries. Netgate experienced a prolonged outage at their primary data center last night according to a post elsewhere on the forum. It may be you were affected by that depending on where you are located in the world and how "day time working hours" at your location corresponded to the overnight Netgate network outage.
I'm running an x86 AMD Ryzen 5 4600G.
I removed the package, rebooted, and reinstalled and it looks like so far so good...
Nov 7 11:58:08 suricata 9703 [1:2525008:860] ET 3CORESec Poor Reputation IP group 9 [Classification: Misc Attack] [Priority: 2] {TCP} 168.80.174.100:59081 -> <WAN_IP>:1010 Nov 7 11:58:08 suricata 9703 [1:2400016:3793] ET DROP Spamhaus DROP Listed Traffic Inbound group 17 [Classification: Misc Attack] [Priority: 2] {TCP} 168.80.174.100:59081 -> <WAN_IP>:1010 Nov 7 11:57:39 suricata 9703 [1:2402000:6815] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 198.235.24.117:51685 -> <WAN_IP>:40000 Nov 7 11:55:52 suricata 9703 [100935] <Notice> -- Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. Nov 7 11:55:26 suricata 9703 [100935] <Warning> -- flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs Nov 7 11:55:26 suricata 9703 [100935] <Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs Nov 7 11:55:26 suricata 9703 [100935] <Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs Nov 7 11:55:26 suricata 9703 [100935] <Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs Nov 7 11:55:11 suricata 99330 [100591] <Notice> -- This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Nov 7 11:55:11 SuricataStartup 99192 Suricata START for WAN(43800_ix0)... Nov 7 11:50:39 SuricataStartup 93389 Suricata STOP for WAN(43800_ix0)...Is there a way for me to check the shared libraries I pulled down via a hash or something to see if I am affected?
