Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - interface show the service as stopped after sometime.

    IDS/IPS
    2
    14
    291
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Look at the suricata.log for the affected interface under LOGS VIEW in the Suricata package GUI. That should show something that may give a clue as to what's happening. Also check the pfSense system log to see what is logged there.

      If the PID file is disappearing, then the processes are being terminated gracefully for some reason. If crashing, typically the PID file gets left behind in /var/run, and that prevents a subsequent startup in the GUI and logs an error about the existing PID file.

      Are you sure you were seeing a fully running Suricata PID line, or perhaps just the result of your grep search command? It's odd to see processes running but no matching PID file in /var/run. You may have a zombie Suricata process running. Try killing all instances of Suricata at the shell prompt as follows:

      kill -9 <PID>

      where <PID> is the Process ID of any running Suricata process. After that, restart Suricata using the icons in the GUI on the INTERFACES tab of the Suricata package.

      It could be that your Suricata instance is updating its rules and then failing during the restart. You should find a clue why in either the suricata.log mentioned above or in the pfSense system log.

      Post back any messages you find to this thread.

      T 1 Reply Last reply Reply Quote 0
      • T
        tchadrack @bmeeks
        last edited by tchadrack

        @bmeeks Ok. the suricata crashed again. According to the logs, it was during the update.

        This is the final piece of Suricata.log

        [101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smtp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "icmpv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "ipv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:47:26 Info: runmodes: Using 1 live device(s).
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: snaplen set to 1518
[101363 - Suricata-Main] 2025-01-20 18:47:26 Notice: threads: Threads created -> RX: 1 W: 2 FM: 1 FR: 1   Engine started.
[291538 - RX#01-pppoe0] 2025-01-20 18:47:30 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used

        Notice, the log shows suricata restarting... Because the suricata is running, indeed, regard of being shown as down.

        Now, this is system.log showing the time suricata got shot down. It was during the update process:

        8:46:07	php-cgi	57307	[Suricata] ABUSE.ch SSL Blacklist rules were updated...
Jan 20 18:46:08	php-cgi	57307	[Suricata] Updating rules configuration for: LAN ...
Jan 20 18:46:10	php-cgi	57307	[Suricata] Enabling any flowbit-required rules for: LAN...
Jan 20 18:46:10	php-cgi	57307	[Suricata] Building new sid-msg.map file for LAN...
Jan 20 18:46:10	php-cgi	57307	[Suricata] Suricata STOP for LAN(re0)...
Jan 20 18:46:25	php-cgi	57307	[Suricata] Suricata START for LAN(re0)...
Jan 20 18:46:25	php-cgi	57307	[Suricata] Suricata has restarted with your new set of rules for LAN...
Jan 20 18:46:25	php-cgi	57307	[Suricata] Updating rules configuration for: WANVIVOFIBRA ...
Jan 20 18:46:26	php-cgi	57307	[Suricata] Enabling any flowbit-required rules for: WANVIVOFIBRA...
Jan 20 18:46:27	php-cgi	57307	[Suricata] Building new sid-msg.map file for WANVIVOFIBRA...
**Jan 20 18:46:27	php-cgi	57307	[Suricata] Suricata STOP for WAN(pppoe0)...**
Jan 20 18:46:33	kernel		pppoe0: promiscuous mode disabled
**Jan 20 18:46:42	php-cgi	57307	[Suricata] Suricata START for WAN(pppoe0)...**
Jan 20 18:46:42	php-cgi	57307	[Suricata] Suricata has restarted with your new set of rules for WANVIVOFIBRA...
Jan 20 18:46:42	php-cgi	57307	[Suricata] The Rules update has finished.
Jan 20 18:47:26	kernel		pppoe0: promiscuous mode enabled

        It got stopped at 18:46:27 and restarted at 18:46:42.

        The suricata / interface show suricata as down.

        But it is running, this is the result of ps aux | grep suricata:

        [2.7.2-RELEASE][admin@****.********..lan]/var/run: ps aux | grep surica
root    66156   0.0  4.7  572652  289280  -  SNs  18:46       1:02.37 /usr/local/bin/suricata -i re0 -D
root    99211   0.0  6.0  583408  368304  -  SNs  18:46       1:08.29 /usr/local/bin/suricata -i pppoe0
root    75098   0.0  0.0   12752    2144  0  S+   20:27       0:00.00 grep surica

        And this is the content of /var/run:

        [2.7.2-RELEASE][admin@******.*********.lan]/var/run: ls
bandwidthd.pid
check_reload_status
cp_prunedb_*******_celular.pid
cron.pid
devd.pid
devd.pipe
devd.seqpacket.pipe
dmesg.boot
dnsbl.pid
dpinger_WANVIVOFIBRA_PPPOE~************~***********.pid
dpinger_WANVIVOFIBRA_PPPOE~************~***********.sock
expire_accounts.pid
filter_reload_status
filterdns.pid
filterlog.pid
ipsec_keepalive.pid
kea
ld-elf.so.hints
ld-elf32.so.hints
log
logpriv
nginx-*******_celular-CaptivePortal.pid
nginx-webConfigurator.pid
nginx.pid
ntopng.pid
ntpd.pid
openvpn_server2.pid
pfSense-upgrade-GUI.pid
pfSense_version
pfSense_version.rc
php-fpm.pid
php-fpm.socket
ping_hosts.pid
pppoe_wan.pid
radiusd.pid
sshd.pid
syslog.pid
unbound.pid
update_alias_url_data.pid
updaterrd.sh.pid
utmp
utx.active
vnstat

        Notice, that suricata pid file is not here.. That is the motive why Suricata / Interfaces page shows them as down.

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @tchadrack
          last edited by bmeeks

          @tchadrack said in Suricata - interface show the service as stopped after sometime.:

          Notice, that suricata pid file is not here.. That is the motive why Suricata / Interfaces page shows them as down.

          Yes, that is why the GUI interface code thinks it is not running. It checks for the presence of a PID file named with the UUID of the interface.

          I have no idea why the PID files would be missing, though. They are created by the Suricata binary as part of its startup procedure. The GUI code has nothing to do with that. It simply checks they are present to determine which icon to display -- Suricata "running" or "stopped".

          T 1 Reply Last reply Reply Quote 0
          • T
            tchadrack @bmeeks
            last edited by tchadrack

            Thankyou. I believe more people could be facing the same issue. So anyone here could help us to know what is happening?

            Obs: I tried to update Suricata before, but it didnt help

            Complete start up log of suricata:

            [104357 - Suricata-Main] 2025-01-20 18:46:42 Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
[104357 - Suricata-Main] 2025-01-20 18:46:42 Info: cpu: CPUs/cores online: 2
[104357 - Suricata-Main] 2025-01-20 18:46:42 Info: suricata: Setting engine mode to IDS mode by default
[104357 - Suricata-Main] 2025-01-20 18:46:42 Info: app-layer-htp-mem: HTTP memcap: 67108864
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: alert-pf output device (regular) initialized: block.log
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_30338_pppoe0/passlist.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_30338_pppoe0/passlist processed: Total entries parsed: 19, IP addresses/netblocks/aliases added to No Block list: 19, IP addresses/netblocks ignored because they were covered by existing entries: 0.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c  block-ip=both  kill-state=yes  block-drops-only=no  passlist-debugging=no
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Creating initial automatic firewall interface IP address pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re0 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:3452 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re0 IPv4 address 192.168.1.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re0 IPv4 address 10.10.10.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re1 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe68:287a to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:7011 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv4 address 192.168.27.254 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv4 address 192.168.27.77 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface re2 IPv4 address 192.168.27.12 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface pppoe0 IPv4 address 201.42.100.58 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface pppoe0 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:3452 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface ovpns2 IPv6 address fe80:0000:0000:0000:02e0:4cff:fe61:3452 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: alert-pf: Adding firewall interface ovpns2 IPv4 address 10.0.1.1 to automatic interface IP pass list.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: fast output device (regular) initialized: alerts.log
[291532 - Suricata-IM#01] 2025-01-20 18:46:42 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 initializing.
[291532 - Suricata-IM#01] 2025-01-20 18:46:42 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 startup completed successfully.
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: http-log output device (regular) initialized: http.log
[101363 - Suricata-Main] 2025-01-20 18:46:42 Info: logopenfile: tls-log output device (regular) initialized: tls.log
[101363 - Suricata-Main] 2025-01-20 18:46:42 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[101363 - Suricata-Main] 2025-01-20 18:46:42 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27
[100122 - Suricata-Main] 2025-01-20 18:46:50 Notice: device: pppoe0: packets: 3049877, drops: 17009 (0.56%), invalid chksum: 0
[101363 - Suricata-Main] 2025-01-20 18:46:50 Error: detect-tls-ja3-hash: ja3 support is not enabled
[101363 - Suricata-Main] 2025-01-20 18:46:50 Error: detect: error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CIS] Gootloader C2 Activity - Windows Server 2016 - barefootinc.com[.]au"; flow:established,to_server; ja3.hash; content:"ae76f123158d52fd84c2c313c0c724ac"; tls.sni; bsize:18; content:"barefootinc.com.au"; nocase; startswith; fast_pattern; threshold: type limit, track by_src, seconds 3600, count 1; classtype:domain-c2; sid:2058287; rev:1; metadata:affected_product Windows_Server_2016, attack_target Client_Endpoint, created_at 2024_12_15, deployment Perimeter, malware_family GootLoader, confidence High, signature_severity Major, updated_at 2024_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:dest_ip;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 19207
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-urilen: depth or urilen 11 smaller than content len 17
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 26215
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 26822
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27046
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-pcre: unknown regex modifier 'K'
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27112
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-parse: "http_client_body" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27175
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect-isdataat: pcre2_substring_get_bynumber failed
[101363 - Suricata-Main] 2025-01-20 18:46:54 Error: detect: error parsing signature "alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Unix.Backdoor.PygmyGoat inbound connection attempt"; flow:to_client,established; content:"SSH-2.0-D8pjE|0D 0A|"; depth:15; isdataat:!15,rawbytes; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssh; reference:url,ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf; classtype:trojan-activity; sid:64295; rev:1;)" from file /usr/local/etc/suricata/suricata_30338_pppoe0/rules/suricata.rules at line 27312
[101363 - Suricata-Main] 2025-01-20 18:46:56 Info: detect: 3 rule files processed. 34719 rules successfully loaded, 11 rules failed, 0
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210038, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210044, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2200070, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2520113, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2200075, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210020, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210029, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210045, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2210046, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2260002, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2221034, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2221033, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2230010, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: threshold-config: can't suppress sid 2230010, gid 1: unknown rule
[101363 - Suricata-Main] 2025-01-20 18:46:56 Info: threshold-config: Threshold config parsed: 24 rule(s) found
[101363 - Suricata-Main] 2025-01-20 18:46:56 Info: detect: 34723 signatures processed. 1178 are IP-only rules, 3470 are inspecting packet payload, 28580 inspect application layer, 107 are decoder event only
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
[101363 - Suricata-Main] 2025-01-20 18:46:56 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: UDP toserver: 41 port groups, 24 unique SGH's, 17 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: UDP toclient: 21 port groups, 13 unique SGH's, 8 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
[101363 - Suricata-Main] 2025-01-20 18:46:56 Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Unique rule groups: 101
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toserver TCP packet": 31
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toclient TCP packet": 16
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toserver TCP stream": 30
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toclient TCP stream": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toserver UDP packet": 24
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "toclient UDP packet": 13
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Builtin MPM "other IP packet": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_uri (http)": 23
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_uri (http2)": 23
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_line (http)": 7
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 7
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 11
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_request_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_response_header (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 10
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver htt⁴p_accept (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.server (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_start (http)": 6
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_method (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 8
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 15
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_host (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 3
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 2
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (smb)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient dce_stub_data (dcerpc)": 4
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (nfs)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smb)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toclient file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (http2)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: AppLayer MPM "toserver file_data (smtp)": 73
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "icmpv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:46:57 Perf: detect: Pkt MPM "ipv6.hdr": 1
[101363 - Suricata-Main] 2025-01-20 18:47:26 Info: runmodes: Using 1 live device(s).
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets
[291538 - RX#01-pppoe0] 2025-01-20 18:47:26 Info: pcap: pppoe0: snaplen set to 1518
[101363 - Suricata-Main] 2025-01-20 18:47:26 Notice: threads: Threads created -> RX: 1 W: 2 FM: 1 FR: 1   Engine started.
[291538 - RX#01-pppoe0] 2025-01-20 18:47:30 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used

            ps aux | grep suricata

            [2.7.2-RELEASE][admin@*****.*******.lan]/root: ps aux | grep surica
root    66156   0.0  2.0  572652  123832  -  SNs  18:46       3:40.11 /usr/local/bin/suricata -i re0 -D -c /usr/local/etc/suricata/suricata_58258_re
root    99211   0.0  2.4  586480  143904  -  SNs  18:46       4:20.86 /usr/local/bin/suricata -i pppoe0 -D -c /usr/local/etc/suricata/suricata_30338
            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @tchadrack
              last edited by

              @tchadrack said in Suricata - interface show the service as stopped after sometime.:

              Thankyou. I believe more people could be facing the same issue. So anyone here could help us to know what is happening?

              Obs: I tried to update Suricata before, but it didnt help

              Complete start up log of suricata:

              [2.7.2-RELEASE][admin@*****.*******.lan]/root: ps aux | grep surica
root    66156   0.0  2.0  572652  123832  -  SNs  18:46       3:40.11 /usr/local/bin/suricata -i re0 -D -c /usr/local/etc/suricata/suricata_58258_re
root    99211   0.0  2.4  586480  143904  -  SNs  18:46       4:20.86 /usr/local/bin/suricata -i pppoe0 -D -c /usr/local/etc/suricata/suricata_30338

              And immediately after this did you check in /var/run for any files with suricata in their name? If the binary starts, it should be creating the PID file in that directory. If that is failing, perhaps there is a permissions or even disk space issue ???

              Realtek NICs are not the best for use on FreeBSD, but even still I don't see how that could be related to not creating a PID file.

              Try this --

              Kill all the running Suricata processes using this command from a shell prompt:

              kill <PID>

              Once all running Suricata processes are terminated, return to the GUI and go to the INTERFACES tab in Suricata and click the icon to start each interface. Report back on what happens then.

              T 1 Reply Last reply Reply Quote 0
              • T
                tchadrack @bmeeks
                last edited by tchadrack

                @bmeeks said in Suricata - interface show the service as stopped after sometime.:

                And immediately after this did you check in /var/run for any files with suricata in their name? If the binary starts, it should be creating the PID file in that directory. If that is failing, perhaps there is a permissions or even disk space issue ???

                I didnt, because the down status on web interface only happens after some time and not imediatelly. Sometimes, they can be up for more than one day, even more.

                @bmeeks said in Suricata - interface show the service as stopped after sometime.:

                Kill all the running Suricata processes using this command from a shell prompt: kill <PID>
                Once all running Suricata processes are terminated, return to the GUI and go to the INTERFACES tab in Suricata and click the icon to start each interface. Report back on what happens

                I tried to do it already. I've killed all suricata processes and started again from web interface.

                What happens is that they start and work normally, showing themselves as up in the web interface. But after some time, when I open and look into web interface, they are showing as down.

                If I go on the shell i can see they are up, but without the pid file on /var/run

                 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

[2.7.2-RELEASE][admin@****************]/root: cd /var/run
[2.7.2-RELEASE][admin@****************]/var/run: ls | grep surica
[2.7.2-RELEASE][admin@****************]/var/run: ps aux | grep suric
root    66156   0.0  1.2  581868   74928  -  SNs  18:46       5:08.75 /usr/local/bin/suricata -i re0 -D
root    99211   0.0  1.6  586480   95276  -  SNs  18:46       6:00.33 /usr/local/bin/suricata -i pppoe0
root    49197   0.0  0.0   12752    2136  0  S+   16:49       0:00.00 grep suric
[2.7.2-RELEASE][admin@****************]/var/run: kill -9 66156
[2.7.2-RELEASE][admin@****************]/var/run: kill -9 99211
[2.7.2-RELEASE][admin@****************]/var/run: ps aux | grep suric
root    42936   0.0  0.0   12752    2140  0  S+   16:50       0:00.00 grep suric
(here I started suricata under the web interface)
[2.7.2-RELEASE][admin@****************]/var/run: ls | grep surica
suricata_pppoe030338.pid
suricata_re058258.pid

                After killing the processes, restarting them from web interface, the pid files are created inside /var/run

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by bmeeks

                  Okay, let's try an experiment.

                  Go to the GLOBAL SETTINGS tab in Suricata and check the box for Live Rule Swap on Update (if it is not already checked). Save that change.

                  Next, kill the Suricata processes from the shell prompt as explained in my post above, then restart Suricata on each interface in the GUI. Let's see if that keeps the GUI's status in sync with the actual processes.

                  Something is deleting the PID files, but I currently do not really know what that is. And my guess is it happens during the periodic rules update when Suricata is normally restarted. Checking the box I noted prevents a physical restart of Suricata and instead tells it to live reload the updated rules.

                  The outcome of this experiment may give me a clue (or at least help me narrow down where to be looking).

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    tchadrack @bmeeks
                    last edited by

                    @bmeeks Okay, i've done it. I will return later with more information about what happened. Thank you

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @tchadrack
                      last edited by

                      @tchadrack said in Suricata - interface show the service as stopped after sometime.:

                      @bmeeks Okay, i've done it. I will return later with more information about what happened. Thank you

                      Okay. Also, I did not see it in your process list captures, but make sure you are NOT using the Service Watchdog package to monitor Suricata. That package is not compatible with either Suricata or Snort.

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        tchadrack @bmeeks
                        last edited by

                        @bmeeks

                        root    78291   0.0  4.8  765872  291224  -  Ss   17:00       6:31.07 /usr/local/bin/suricata -i pppoe0
root    86453   0.0  5.3  872748  325348  -  Ss   17:00       6:37.23 /usr/local/bin/suricata -i re0 -D

                        Up to now the web interface is showing the suricata service as up and running (pid files present in /var/run)

                        Watchdog is running, but not enabled for suricata

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks @tchadrack
                          last edited by bmeeks

                          @tchadrack said in Suricata - interface show the service as stopped after sometime.:

                          @bmeeks

                          root    78291   0.0  4.8  765872  291224  -  Ss   17:00       6:31.07 /usr/local/bin/suricata -i pppoe0
root    86453   0.0  5.3  872748  325348  -  Ss   17:00       6:37.23 /usr/local/bin/suricata -i re0 -D

                          Up to now the web interface is showing the suricata service as up and running (pid files present in /var/run)

                          Watchdog is running, but not enabled for suricata

                          Okay. I think I may know what could be happening. I notice you appear to have stats collection enabled based on the log entries I saw in the suricata.log snippet you posted. I'm suspecting your instance is either taking a long time to shutdown (due to collecting and printing the stats summary) or it is not actually fully shutting down during the rules update. But the PHP function that restarts Suricata after a rule update does unconditionally delete the PID file when stopping the binary to be sure the subsequent restart will succeed. I think I may need to make that code "smarter" so that it does more thorough checks before deleting the PID.

                          The change I had you make skips restarting the binary on rules updates. It instructs Suricata to reload the rules while still running. That way the PID file is not deleted. The only downside to that is a temporary increase in RAM consumption while the rules swap is happening. That can be a problem only with installs that have limited RAM.

                          T 1 Reply Last reply Reply Quote 0
                          • T
                            tchadrack @bmeeks
                            last edited by

                            @bmeeks Ok, Thankyou.

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @tchadrack
                              last edited by

                              @tchadrack said in Suricata - interface show the service as stopped after sometime.:

                              @bmeeks Ok, Thankyou.

                              I also recall, quite some time back- maybe around the time Suricata upstream was still in the 2.x or 3.x version branch- that sometimes the binary would not respond to the first "shutdown" command issued. It would sometimes take two cycles of issuing shutdown to the process to get Suricata to honor the request. Perhaps that is happening here again in this particular instance. The one thing you appear to have enabled that is not normally enabled by the majority of users is the stats collection option. That may figure in here.

                              I will try and replicate this in my test virtual machine environment. I don't normally test with stats collection enabled, so I need to specifically test with that option enabled.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.