Suricata - prefix or user NULL
-
Hi all,
Today, for some reason suricata stopped.
I tryied to find out my latest changes in the suppress list & even deleting all it's the same.Suricata.log looks like this:
30/3/2017 – 15:02:19 - <notice>-- This is Suricata version 3.1.2 RELEASE
30/3/2017 -- 15:02:19 - <info>-- CPUs/cores online: 8
30/3/2017 -- 15:02:19 - <info>-- HTTP memcap: 67108864
30/3/2017 -- 15:02:19 - <notice>-- using flow hash instead of active packets
30/3/2017 -- 15:02:38 - <info>-- 2 rule files processed. 19613 rules successfully loaded, 0 rules failed
30/3/2017 -- 15:02:38 - <info>-- 19619 signatures processed. 1289 are IP-only rules, 5983 are inspecting packet payload, 14662 inspect application layer, 101 are decoder event only
30/3/2017 -- 15:02:45 - <info>-- Threshold config parsed: 0 rule(s) found
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface em0 IPv6 address fe80:0000:0000:0000:021b:21ff:fe98:42b7 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface igb1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:9e79 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface igb1 IPv4 address 10.20.30.1 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lagg0 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:9e7a to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lagg0 IPv4 address 192.168.100.1 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lagg0 IPv4 address 10.10.10.1 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface pppoe0 IPv6 address fe80:0000:0000:0000:0000:0000:bc1a:db37 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface pppoe0 IPv4 address 188.26.219.55 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:021b:21ff:fe98:42b7 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface ovpns1 IPv4 address 10.20.30.1 to automatic interface IP Pass List.
30/3/2017 -- 15:02:45 - <info>-- alert-pf output device (regular) initialized: block.log
30/3/2017 -- 15:02:45 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENTS(52)] - prefix or user NULLany clues on this?</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></notice>
-
i reinstalled the pkg and now after reloading all rules i got a different issue:
31/3/2017 – 08:50:26 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
31/3/2017 – 08:50:26 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_46241_pppoe0/rules/suricata.rules at line 27527
31/3/2017 – 08:50:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
31/3/2017 – 08:50:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /usr/local/etc/suricata/suricata_46241_pppoe0/rules/suricata.rules at line 28480
31/3/2017 – 08:50:27 - <info>-- 1 rule files processed. 28653 rules successfully loaded, 35 rules failed
31/3/2017 -- 08:50:28 - <info>-- 28659 signatures processed. 1278 are IP-only rules, 8453 are inspecting packet payload, 21468 inspect application layer, 101 are decoder event only
31/3/2017 -- 08:50:38 - <info>-- Threshold config parsed: 0 rule(s) found
31/3/2017 -- 08:50:38 - <info>-- fast output device (regular) initialized: alerts.log
31/3/2017 -- 08:50:38 - <info>-- http-log output device (regular) initialized: http.log
31/3/2017 -- 08:50:38 - <info>-- Syslog output initialized
31/3/2017 -- 08:50:38 - <info>-- Using 1 live device(s).
31/3/2017 -- 08:50:38 - <info>-- using interface pppoe0
31/3/2017 -- 08:50:38 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
31/3/2017 -- 08:50:38 - <info>-- Found an MTU of 1492 for 'pppoe0'
31/3/2017 -- 08:50:38 - <info>-- Set snaplen to 1516 for 'pppoe0'
31/3/2017 -- 08:50:38 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
31/3/2017 – 08:50:38 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed</error></error></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error> -
can be closed.
problem was solved by increasing the Flow Memory Cap and Stream Memory Cap to 128MB