Suricata IDS 1.4.6 BETA package update v0.3 released

Cino

@G.D.:

@bmeeks:

Ouch!  That's going to be a tough one to fix.  The whole premise of parsing the alert text is based on splitting the fields on the commas.  I'll have to chew on that one.

Yes, that should be fixed from the other end.
Rfc4180.2.6: “Fields containing line breaks (CRLF), double quotes, and commas should be enclosed in double-quotes.”

agreed!

adam65535

Has anyone tried this on 2.2 ALPHA yet?  I keep getting emails from cron because it appears cron on 2.2 sends emails when there is output in a cronjob.  I actually like that it does that on 2.2 for my own purposes but for Suricata I get an email every 5 minutes when it prunes the block list and also when the ids rules get updated…

Subject: Cron <root@pfsense> /usr/bin/nice -n20 /sbin/pfctl -t snort2c -T expire 3600

X-Cron-Env: <shell= bin="" sh="">
X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">
X-Cron-Env: <home= var="" log="">
X-Cron-Env: <logname=root>
X-Cron-Env: <user=root>

0/0 addresses expired.</user=root></logname=root></home=></path=></shell=></root@pfsense>

Subject: Cron <root@pfsense> /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php

X-Cron-Env: <shell= bin="" sh="">
X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">
X-Cron-Env: <home= var="" log="">
X-Cron-Env: <logname=root>
X-Cron-Env: <user=root>

1%   2%   4%   5%   6%   7%   8%   9%  10%  20%  30%  40%  50%  60%  70%  80%  90% 100%</user=root></logname=root></home=></path=></shell=></root@pfsense>

BBcan177

@adam65535:

Has anyone tried this on 2.2 ALPHA yet?  I keep getting emails from cron because it appears cron on 2.2 sends emails when there is output in a cronjob.  I actually like that it does that on 2.2 for my own purposes but for Suricata I get an email every 5 minutes when it prunes the block list and also when the ids rules get updated…

Subject: Cron root@pfsense/usr/bin/nice -n20 /sbin/pfctl -t snort2c -T expire 3600/root@pfsense

Hi Adam,

You could try to add "2>&1" to the Cron job and see if that fixes it?

[  [b]/usr/bin/nice -n20 /sbin/pfctl -t snort2c -T expire 3600 2>&1  ]

If you have the Cron package, you can do that without going into the Shell to edit Cron.

However, if you make any changes to the Snort Interfaces, it could get reset by

[  [b]/usr/local/pkg/snort/snort.inc  ]  which write that line into CRON.

adam65535

Thanks for the response.

I added -q to the pfctl command to silence the output.  That worked.  The ids rules update I don't mind getting notified when they update so I am leaving that one.

*/5     *       *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 3600

Hopefully he can add that to the next version.

EDIT:

However, if you make any changes to the Snort Interfaces, it could get reset by

[  /usr/local/pkg/snort/snort.inc  ]  which write that line into CRON.

Ah… I will need to edit snort.inc too.  Thanks for that.

EDIT2:

I actually had to edit /usr/local/pkg/suricata/suricata.inc obviously.

BBcan177

@adam65535:

Thanks for the response.
Ah… I will need to edit snort.inc too.  Thanks for that.

Anytime!

bmeeks

@adam65535:

Thanks for the response.

I added -q to the pfctl command to silence the output.  That worked.  The ids rules update I don't mind getting notified when they update so I am leaving that one.

*/5     *       *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 3600

Hopefully he can add that to the next version.

EDIT:

However, if you make any changes to the Snort Interfaces, it could get reset by

[  /usr/local/pkg/snort/snort.inc  ]  which write that line into CRON.

Ah… I will need to edit snort.inc too.  Thanks for that.

EDIT2:

I actually had to edit /usr/local/pkg/suricata/suricata.inc obviously.

I'll add this one to my TODO list of Suricata fixes.  Thanks for the report.

Bill

Cino

@bill if you dont mind, add this to snort when you have time

bmeeks

@Cino:

@bill if you dont mind, add this to snort when you have time

OK.  I added it to the currently open Pull Request for Snort.

Bill

Cino

Is anyone else having startup issues with more then 1 interface/sensor?

When I reboot my box or use Services to (re)start Suricata, they start but not fully… No alerting
When i manually start them, no issues and alerting starts within a few minutes

log from a reboot:

WAN
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:43 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:43 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:43 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:43 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:43 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:43 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:43 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:43 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:43 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:43 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "l!" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/ at line 1
8/7/2014 -- 12:37:43 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/
8/7/2014 -- 12:37:43 - <info>-- 2 rule files processed. 17 rules successfully loaded, 1 rules failed
8/7/2014 -- 12:37:43 - <info>-- 17 signatures processed. 0 are IP-only rules, 13 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:43 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 12:37:43 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:43 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:43 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:43 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 12:37:43 - <info>-- using normal logging
8/7/2014 -- 12:37:43 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:43 - <info>-- using interface em3
8/7/2014 -- 12:37:43 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:43 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:43 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:43 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:43 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:43 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:43 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:43 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:43 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:44 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:38:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:45 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:45 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:45 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:45 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:45 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:45 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:45 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:45 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:45 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:45 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/
8/7/2014 -- 12:37:45 - <info>-- 2 rule files processed. 11 rules successfully loaded, 0 rules failed
8/7/2014 -- 12:37:45 - <info>-- 11 signatures processed. 0 are IP-only rules, 7 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:45 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 12:37:45 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:46 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:46 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:46 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 12:37:46 - <info>-- using normal logging
8/7/2014 -- 12:37:46 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:46 - <info>-- using interface em2
8/7/2014 -- 12:37:46 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:46 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:46 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:46 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:46 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:46 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:46 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:46 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:46 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:40:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

Log from a manually start:

WAN
8/7/2014 -- 13:15:48 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:15:49 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:15:49 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:15:49 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:15:49 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:15:49 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:15:49 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- IP reputation disabled
8/7/2014 -- 13:15:49 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:15:49 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:15:49 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:15:49 - <info>-- Delayed detect disabled
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8277
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8452
8/7/2014 -- 13:16:31 - <info>-- 2 rule files processed. 14450 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:17:48 - <info>-- 14455 signatures processed. 23 are IP-only rules, 4574 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:17:48 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:17:54 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:18:40 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:18:47 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 13:18:47 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:18:47 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:18:47 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:18:47 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 13:18:47 - <info>-- using normal logging
8/7/2014 -- 13:18:47 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:18:47 - <info>-- using interface em3
8/7/2014 -- 13:18:47 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:18:47 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbb50
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbd48
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbf40
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec138
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec330
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec528
8/7/2014 -- 13:18:47 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:18:47 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:18:47 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:18:47 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:18:47 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:18:47 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:18:47 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:18:47 - <info>-- stream."inline": disabled
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:18:51 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 13:20:47 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:20:48 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:20:48 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:20:48 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:20:48 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:20:48 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:20:48 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- IP reputation disabled
8/7/2014 -- 13:20:48 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:20:48 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:20:48 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:20:48 - <info>-- Delayed detect disabled
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8280
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8455
8/7/2014 -- 13:21:28 - <info>-- 2 rule files processed. 14447 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:22:47 - <info>-- 14452 signatures processed. 23 are IP-only rules, 4571 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:22:47 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:22:52 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:23:32 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:23:39 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 13:23:39 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:23:39 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:23:39 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:23:39 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 13:23:39 - <info>-- using normal logging
8/7/2014 -- 13:23:39 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:23:39 - <info>-- using interface em2
8/7/2014 -- 13:23:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:23:39 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003346c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033664
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003385c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033a54
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033c4c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033e44
8/7/2014 -- 13:23:39 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:23:39 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:23:39 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:23:39 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:23:39 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:23:39 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:23:39 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:23:39 - <info>-- stream."inline": disabled
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:26:02 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

I also noticed it doesn't like IPv6 subnets in the passlist, im using the same list I currently use for snort.

bmeeks

@Cino:

Is anyone else having startup issues with more then 1 interface/sensor?

When I reboot my box or use Services to (re)start Suricata, they start but not fully… No alerting
When i manually start them, no issues and alerting starts within a few minutes

log from a reboot:

WAN
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:43 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:43 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:43 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:43 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:43 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:43 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:43 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:43 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:43 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:43 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "l!" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/ at line 1
8/7/2014 -- 12:37:43 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/
8/7/2014 -- 12:37:43 - <info>-- 2 rule files processed. 17 rules successfully loaded, 1 rules failed
8/7/2014 -- 12:37:43 - <info>-- 17 signatures processed. 0 are IP-only rules, 13 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:43 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 12:37:43 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:43 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:43 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:43 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 12:37:43 - <info>-- using normal logging
8/7/2014 -- 12:37:43 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:43 - <info>-- using interface em3
8/7/2014 -- 12:37:43 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:43 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:43 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:43 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:43 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:43 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:43 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:43 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:43 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:44 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:38:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:45 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:45 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:45 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:45 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:45 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:45 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:45 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:45 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:45 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:45 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/
8/7/2014 -- 12:37:45 - <info>-- 2 rule files processed. 11 rules successfully loaded, 0 rules failed
8/7/2014 -- 12:37:45 - <info>-- 11 signatures processed. 0 are IP-only rules, 7 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:45 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 12:37:45 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:46 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:46 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:46 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 12:37:46 - <info>-- using normal logging
8/7/2014 -- 12:37:46 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:46 - <info>-- using interface em2
8/7/2014 -- 12:37:46 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:46 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:46 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:46 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:46 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:46 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:46 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:46 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:46 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:40:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

Log from a manually start:

WAN
8/7/2014 -- 13:15:48 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:15:49 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:15:49 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:15:49 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:15:49 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:15:49 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:15:49 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- IP reputation disabled
8/7/2014 -- 13:15:49 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:15:49 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:15:49 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:15:49 - <info>-- Delayed detect disabled
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8277
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8452
8/7/2014 -- 13:16:31 - <info>-- 2 rule files processed. 14450 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:17:48 - <info>-- 14455 signatures processed. 23 are IP-only rules, 4574 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:17:48 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:17:54 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:18:40 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:18:47 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 13:18:47 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:18:47 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:18:47 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:18:47 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 13:18:47 - <info>-- using normal logging
8/7/2014 -- 13:18:47 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:18:47 - <info>-- using interface em3
8/7/2014 -- 13:18:47 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:18:47 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbb50
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbd48
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbf40
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec138
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec330
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec528
8/7/2014 -- 13:18:47 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:18:47 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:18:47 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:18:47 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:18:47 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:18:47 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:18:47 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:18:47 - <info>-- stream."inline": disabled
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:18:51 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 13:20:47 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:20:48 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:20:48 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:20:48 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:20:48 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:20:48 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:20:48 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- IP reputation disabled
8/7/2014 -- 13:20:48 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:20:48 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:20:48 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:20:48 - <info>-- Delayed detect disabled
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8280
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8455
8/7/2014 -- 13:21:28 - <info>-- 2 rule files processed. 14447 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:22:47 - <info>-- 14452 signatures processed. 23 are IP-only rules, 4571 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:22:47 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:22:52 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:23:32 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:23:39 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 13:23:39 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:23:39 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:23:39 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:23:39 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 13:23:39 - <info>-- using normal logging
8/7/2014 -- 13:23:39 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:23:39 - <info>-- using interface em2
8/7/2014 -- 13:23:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:23:39 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003346c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033664
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003385c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033a54
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033c4c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033e44
8/7/2014 -- 13:23:39 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:23:39 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:23:39 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:23:39 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:23:39 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:23:39 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:23:39 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:23:39 - <info>-- stream."inline": disabled
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:26:02 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

I also noticed it doesn't like IPv6 subnets in the passlist, im using the same list I currently use for snort.

Not sure about why you have a problem with a reboot restart versus a manual restart.  I have not noticed that in my earlier testing.  Will look at it again, though.  As for the IPv6 issue in a Pass List, that has been reported by another user.  I will check on that for the next update.

Bill

Cino

thanks Bill!! I've made a ton of adjustments to what rules are enabled/disabled.. I'm wondering if the generating of the ruleset is the issue. A restart doesn't seem load all the rules.

Thanks again for all your help with this package!

Stephen

Cino

Noticed something else this morning, the cron job that removes IPs from snort2c seems to disappears after a reboot. I have to go to into the global tab and save it so the job is recreated.

EDIT: Nevermind… Its not because of a reboot... When I make changes to snort, it removes the cron job because I deactivated blocking in snort

bmeeks

@Cino:

Noticed something else this morning, the cron job that removes IPs from snort2c seems to disappears after a reboot. I have to go to into the global tab and save it so the job is recreated.

EDIT: Nevermind… Its not because of a reboot... When I make changes to snort, it removes the cron job because I deactivated blocking in snort

You can have lots of weird issues if you run both Snort and Suricata in blocking mode because for the moment they share the same pf table (the snort2c table).

Bill