Suricata not working!
-
All of those "SC_ERR_INVALID_SIGNATURE" errors are just Suricata complaining about keywords and rule options in Snort VRT rules that Suricata cannot interpret. This is expected when using the Snort VRT rules package with Suricata. Those errors are harmless in that they do not prevent Suricata from starting up; however, they do mean those particular rules are not getting loaded and thus are never being used to inspect traffic. So from that point of view the network security is reduced.
I'm still confused by the title of your thread. It says "SNORT" but your logs are all Suricata. Which package are you really running? I assume Suricata ??? If so, then post the end of the Suricata log (you can skip all the rule parsing errors and just post the stuff after that).
Bill
-
Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there. I know those errors are not related to my problem, but i thought someone could find something usefull there. I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.
-
Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there. I know those errors are not related to my problem, but i thought someone could find something usefull there. I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.
Hey we all have rough days, but just remember that Bill maintains the Snort and Suricata packages on his own time, and everyone here benefits from it… It would be really great if more people participated in the testing/development phase, instead of waiting on a final polished version. Also keep in mind that you will see new Snort/Suricata package features in pfSense 2.3 that might never get ported back to 2.2. Some food for thought...
-
There are a handful of known issues in the current Suricata GUI package for pfSense 2.3. I have all of those but one fixed in the code version I'm working on. That last remaining issue to make the rules update download process a little more user-friendly by providing some visual feedback of progress. I've said this in other posts, but internal changes in pfSense as a result of the Bootstrap migration made some of the system API calls I was using to show rules download progress no longer function the same. I'm trying to come up with a viable workaround.
I would be interested in learning more about your specific problem if you can take the time to try 2.3 again in the near future.
Bill
-
This is my first post. 8) I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6. All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically. I've reinstalled it several times, and I didn't have this issue with any previous version.
-
This is my first post. 8) I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6. All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically. I've reinstalled it several times, and I didn't have this issue with any previous version.
You will need to post some log data. Post the suricata.log file from the interface where Suricata runs (it will be in /var/log/suricata/xxx (where xxx is the interface combined with a GUID). Also post any relevant messages, if any, from the pfSense system log from around the time of the crash.
Bill
-
There wasn't anything Suricata related in the system log that was odd. I will note I have OpenVPN setup for PIA VPN, not sure if that could cause issue.
14/4/2016 -- 20:11:55 - <notice> -- This is Suricata version 3.0 RELEASE 14/4/2016 -- 20:11:55 - <info> -- CPUs/cores online: 12 14/4/2016 -- 20:11:55 - <info> -- Adding interface em0 from config file 14/4/2016 -- 20:11:55 - <info> -- Adding interface em0+ from config file 14/4/2016 -- 20:11:55 - <info> -- Netmap: Setting IPS mode 14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization. 14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization. 14/4/2016 -- 20:11:55 - <info> -- HTTP memcap: 67108864 14/4/2016 -- 20:11:55 - <info> -- DNS request flood protection level: 500 14/4/2016 -- 20:11:55 - <info> -- DNS per flow memcap (state-memcap): 524288 14/4/2016 -- 20:11:55 - <info> -- DNS global memcap: 16777216 14/4/2016 -- 20:11:55 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24 14/4/2016 -- 20:11:55 - <info> -- preallocated 65535 defrag trackers of size 136 14/4/2016 -- 20:11:55 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432 14/4/2016 -- 20:11:55 - <info> -- AutoFP mode using "Active Packets" flow load balancer 14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 hosts of size 104 14/4/2016 -- 20:11:55 - <info> -- host memory usage: 366144 bytes, maximum: 16777216 14/4/2016 -- 20:11:55 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64 14/4/2016 -- 20:11:55 - <info> -- preallocated 10000 flows of size 256 14/4/2016 -- 20:11:55 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432 14/4/2016 -- 20:11:55 - <info> -- stream "prealloc-sessions": 32768 (per thread) 14/4/2016 -- 20:11:55 - <info> -- stream "memcap": 67108864 14/4/2016 -- 20:11:55 - <info> -- stream "midstream" session pickups: disabled 14/4/2016 -- 20:11:55 - <info> -- stream "async-oneside": disabled 14/4/2016 -- 20:11:55 - <info> -- stream "checksum-validation": disabled 14/4/2016 -- 20:11:55 - <info> -- stream."inline": enabled 14/4/2016 -- 20:11:55 - <info> -- stream "max-synack-queued": 5 14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "memcap": 67108864 14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "depth": 0 14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toserver-chunk-size": 2448 14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toclient-chunk-size": 2673 14/4/2016 -- 20:11:55 - <info> -- stream.reassembly.raw: enabled 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 4, prealloc 256 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 16, prealloc 512 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 112, prealloc 512 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 248, prealloc 512 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 512, prealloc 512 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 768, prealloc 1024 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 1448, prealloc 1024 14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 65535, prealloc 128 14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "chunk-prealloc": 250 14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "zero-copy-size": 128 14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64 14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 ippairs of size 104 14/4/2016 -- 20:11:55 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216 14/4/2016 -- 20:11:55 - <info> -- using magic-file /usr/share/misc/magic 14/4/2016 -- 20:11:55 - <info> -- Delayed detect disabled 14/4/2016 -- 20:11:55 - <info> -- IP reputation disabled 14/4/2016 -- 20:11:55 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/suricata.rules 14/4/2016 -- 20:12:21 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/flowbit-required.rules 14/4/2016 -- 20:12:21 - <info> -- 2 rule files processed. 17472 rules successfully loaded, 0 rules failed 14/4/2016 -- 20:12:22 - <info> -- 17478 signatures processed. 1059 are IP-only rules, 5082 are inspecting packet payload, 13517 inspect application layer, 76 are decoder event only 14/4/2016 -- 20:12:22 - <info> -- building signature grouping structure, stage 1: preprocessing rules... complete 14/4/2016 -- 20:12:23 - <info> -- building signature grouping structure, stage 2: building source address list... complete 14/4/2016 -- 20:12:44 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete 14/4/2016 -- 20:12:49 - <info> -- Threshold config parsed: 0 rule(s) found 14/4/2016 -- 20:12:50 - <info> -- Core dump size is unlimited. 14/4/2016 -- 20:12:50 - <info> -- fast output device (regular) initialized: alerts.log 14/4/2016 -- 20:12:50 - <info> -- http-log output device (regular) initialized: http.log 14/4/2016 -- 20:12:50 - <info> -- Syslog output initialized 14/4/2016 -- 20:12:50 - <info> -- Using 2 live device(s). 14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0 14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0->em0+ 14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376 14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0+ 14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0+->em0 14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 14/4/2016 -- 20:12:50 - <info> -- RunModeIdsNetmapAutoFp initialised 14/4/2016 -- 20:12:50 - <info> -- using 1 flow manager threads 14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376 14/4/2016 -- 20:12:50 - <info> -- using 1 flow recycler threads 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect11" closed on initialization. 14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</error></error></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice> -
Increase stream memory cap and try :)
-
Thank you!!! That worked! 8)
It's hard to tell how much I need, but i just increased it from 64MB to 128MB.
For those looking to find the setting in version 2.3 its, Services > Suricata > Interfaces > Pencil Edit Icon under Actions > LAN Flow/Stream > Stream Memory Cap
-
Darn it! I thought I had the Stream Memory Cap default set large enough, but apparently not true in all situations.
Bill
