• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Multiple problems with Suricata service - (instability and crashes)

Scheduled Pinned Locked Moved pfSense Packages
11 Posts 3 Posters 3.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    Trel
    last edited by Jul 24, 2014, 1:23 PM Jul 14, 2014, 1:24 PM

    I have Suricata enabled for two interfaces WAN and LAN (which is a bridge of LAN1 and LAN2 which are two ports on an intel 4port 10/100/1000 card).

    • When I click the icon to stop Suricata on an interface, the page reloads, but nothing was stopped.
      –(At this point, the only way I can get that to function again is to stop the service from Status->Services)
    • Many times when I check, the LAN interface will show as not running, and I have to start it again.
    1 Reply Last reply Reply Quote 0
    • T
      Trel
      last edited by Jul 17, 2014, 2:29 PM

      So far the issue with LAN monitoring spontaneously disabling itself only seems to happen when I have Suricata running on LAN and WAN at the same time.
      I disabled it on WAN and I haven't seen this occur yet.

      The other issue still applies.

      1 Reply Last reply Reply Quote 0
      • B
        BBcan177 Moderator
        last edited by Jul 17, 2014, 2:46 PM Jul 17, 2014, 2:34 PM

        When you click on the stop icon, it will take some time to stop, just let it be and click "refresh" until it stops by itself.

        Run this command at the CLI, to make sure that you have only one process of Suricata running per interface. When it stops, it should not report any PIDS.

        pgrep suricata

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • T
          Trel
          last edited by Jul 18, 2014, 1:33 PM

          Ok, it stopped on its own somewhere between 11:24pm (last detection) yesterday and 9am today with no interaction from me.

          This time it was running on the LAN interface only.

          And

          
          $ pgrep suricata
          
          

          as well as

          
          $ ps -ax |grep suricata
          10944  ??  S      0:00.00 sh -c ps -ax |grep suricata 2>&1
          11194  ??  S      0:00.00 grep suricata
          
          

          Here's what I was able to pull remotely from the UI for suricata.log

          
          18/7/2014 -- 06:48:36 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
          18/7/2014 -- 06:48:37 - <info>-- preallocated 65535 defrag trackers of size 88
          18/7/2014 -- 06:48:37 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
          18/7/2014 -- 06:48:37 - <info>-- AutoFP mode using "Active Packets" flow load balancer
          18/7/2014 -- 06:48:37 - <info>-- preallocated 1024 packets. Total memory 3135488
          18/7/2014 -- 06:48:37 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
          18/7/2014 -- 06:48:37 - <info>-- preallocated 1000 hosts of size 60
          18/7/2014 -- 06:48:37 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
          18/7/2014 -- 06:48:37 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
          18/7/2014 -- 06:48:37 - <info>-- preallocated 10000 flows of size 144
          18/7/2014 -- 06:48:37 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
          18/7/2014 -- 06:48:37 - <info>-- IP reputation disabled
          18/7/2014 -- 06:48:37 - <info>-- Added "35" classification types from the classification file
          18/7/2014 -- 06:48:37 - <info>-- Added "19" reference types from the reference.config file
          18/7/2014 -- 06:48:37 - <info>-- using magic-file /usr/share/misc/magic
          18/7/2014 -- 06:48:37 - <info>-- Delayed detect disabled
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
          18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
          18/7/2014 -- 06:49:05 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
          18/7/2014 -- 06:49:30 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
          18/7/2014 -- 06:49:30 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
          18/7/2014 -- 06:49:32 - <info>-- building signature grouping structure, stage 2: building source address list... complete
          18/7/2014 -- 06:49:49 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
          18/7/2014 -- 06:49:55 - <info>-- Threshold config parsed: 2 rule(s) found
          18/7/2014 -- 06:49:55 - <info>-- Core dump size is unlimited.
          18/7/2014 -- 06:49:55 - <info>-- fast output device (regular) initialized: alerts.log
          18/7/2014 -- 06:49:55 - <info>-- Using 1 live device(s).
          18/7/2014 -- 06:49:55 - <info>-- using interface bridge0
          18/7/2014 -- 06:49:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
          18/7/2014 -- 06:49:55 - <info>-- Found an MTU of 1500 for 'bridge0'
          18/7/2014 -- 06:49:55 - <info>-- Set snaplen to 1500 for 'bridge0'
          18/7/2014 -- 06:49:55 - <info>-- RunModeIdsPcapAutoFp initialised
          18/7/2014 -- 06:49:55 - <info>-- stream "max-sessions": 262144
          18/7/2014 -- 06:49:55 - <info>-- stream "prealloc-sessions": 32768
          18/7/2014 -- 06:49:55 - <info>-- stream "memcap": 33554432
          18/7/2014 -- 06:49:55 - <info>-- stream "midstream" session pickups: disabled
          18/7/2014 -- 06:49:55 - <info>-- stream "async-oneside": disabled
          18/7/2014 -- 06:49:55 - <info>-- stream "checksum-validation": disabled
          18/7/2014 -- 06:49:55 - <info>-- stream."inline": disabled
          18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "memcap": 67108864
          18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "depth": 0
          18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560
          18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560
          18/7/2014 -- 06:49:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
          18/7/2014 -- 06:49:55 - <info>-- Signal Received.  Stopping engine.
          18/7/2014 -- 06:49:55 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
          18/7/2014 -- 06:49:55 - <info>-- time elapsed 0.091s
          18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Packets 0, bytes 0
          18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Pcap Total:5 Recv:5 Drop:0 (0.0%).
          18/7/2014 -- 06:49:55 - <info>-- AutoFP - Total flow handler queues - 1
          18/7/2014 -- 06:49:55 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
          18/7/2014 -- 06:49:55 - <info>-- Stream TCP processed 0 TCP packets
          18/7/2014 -- 06:49:55 - <info>-- Fast log output wrote 0 alerts
          18/7/2014 -- 06:49:55 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
          18/7/2014 -- 06:49:56 - <info>-- cleaning up signature grouping structure... complete
          18/7/2014 -- 06:49:57 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
          
          1 Reply Last reply Reply Quote 0
          • T
            Trel
            last edited by Jul 24, 2014, 1:23 PM

            It stopped again, this time running exclusively on that interface

            
            21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
            21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88
            21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
            21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer
            21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488
            21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
            21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60
            21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
            21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
            21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144
            21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
            21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled
            21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file
            21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file
            21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic
            21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
            21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
            21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
            21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
            21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
            21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete
            21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
            21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found
            21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited.
            21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log
            21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s).
            21/7/2014 -- 09:18:54 - <info>-- using interface bridge0
            21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
            21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0'
            21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0'
            21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised
            21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144
            21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768
            21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432
            21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled
            21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled
            21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled
            21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled
            21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864
            21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0
            21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560
            21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560
            21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
            21/7/2014 -- 09:18:54 - <info>-- Signal Received.  Stopping engine.
            21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
            21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s
            21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0
            21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%).
            21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1
            21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
            21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets
            21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts
            21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
            21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete
            21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
            
            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by Jul 24, 2014, 11:26 PM

              @Trel:

              It stopped again, this time running exclusively on that interface

              
              21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
              21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88
              21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
              21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer
              21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488
              21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
              21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60
              21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
              21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
              21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144
              21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
              21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled
              21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file
              21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file
              21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic
              21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
              21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
              21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
              21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
              21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
              21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete
              21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
              21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found
              21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited.
              21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log
              21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s).
              21/7/2014 -- 09:18:54 - <info>-- using interface bridge0
              21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
              21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0'
              21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0'
              21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised
              21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144
              21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768
              21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432
              21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled
              21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled
              21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled
              21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled
              21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864
              21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0
              21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560
              21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560
              21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
              21/7/2014 -- 09:18:54 - <info>-- Signal Received.  Stopping engine.
              21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
              21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s
              21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0
              21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%).
              21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1
              21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
              21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets
              21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts
              21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
              21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete
              21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
              

              You appear to be running the Snort VRT ruleset with Suricata.  While most of the rules will work, some don't compile at all, and some may not compile correctly.  You can see the errors from the "failed to compile" rules in your logs.  Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense).  The Emerging Threats rules should all compile and run without a problem.  Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

              I am working on an update to bring Suricata to the 2.0.2 binary on pfSense.  Hopefully I can get that out in about a month – or maybe less.  I have it working in my test environment.  Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

              My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata.  When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

              Bill

              1 Reply Last reply Reply Quote 0
              • T
                Trel
                last edited by Jul 25, 2014, 2:02 PM Jul 25, 2014, 1:41 PM

                @bmeeks:

                You appear to be running the Snort VRT ruleset with Suricata.  While most of the rules will work, some don't compile at all, and some may not compile correctly.  You can see the errors from the "failed to compile" rules in your logs.  Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense).  The Emerging Threats rules should all compile and run without a problem.  Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

                I am working on an update to bring Suricata to the 2.0.2 binary on pfSense.  Hopefully I can get that out in about a month – or maybe less.  I have it working in my test environment.  Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

                My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata.  When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

                Bill

                I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface.  If I have it running on WAN, that doesn't happen.

                EDIT, left out the important part of that.
                Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by Jul 25, 2014, 2:58 PM

                  @Trel:

                  @bmeeks:

                  You appear to be running the Snort VRT ruleset with Suricata.  While most of the rules will work, some don't compile at all, and some may not compile correctly.  You can see the errors from the "failed to compile" rules in your logs.  Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense).  The Emerging Threats rules should all compile and run without a problem.  Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

                  I am working on an update to bring Suricata to the 2.0.2 binary on pfSense.  Hopefully I can get that out in about a month – or maybe less.  I have it working in my test environment.  Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

                  My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata.  When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

                  Bill

                  I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface.  If I have it running on WAN, that doesn't happen.

                  EDIT, left out the important part of that.
                  Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN.

                  When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them?  If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not.  Perhaps some other users can chime in here with their experience…

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • T
                    Trel
                    last edited by Jul 25, 2014, 10:22 PM

                    @bmeeks:

                    When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them?  If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not.  Perhaps some other users can chime in here with their experience…

                    Bill

                    The Lan interface is a bridge of ports em0 and em1.
                    em0 goes to a switch
                    em1 goes to an access point

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by Jul 25, 2014, 10:41 PM

                      @Trel:

                      @bmeeks:

                      When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them?  If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not.  Perhaps some other users can chime in here with their experience…

                      Bill

                      The Lan interface is a bridge of ports em0 and em1.
                      em0 goes to a switch
                      em1 goes to an access point

                      Well, it could very well be the bridge configuration that is tripping up Suricata.  Do you have "block offenders" enabled or not?  If you do, try turning it off to see if that helps.  That will eliminate some of the Suricata code.  Please report back with the results as it can help me troubleshoot.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • T
                        Trel
                        last edited by Aug 4, 2014, 1:29 PM

                        It crashed a few times on my guest wifi network.

                        
                        3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
                        3/8/2014 -- 14:37:18 - <info> -- preallocated 65535 defrag trackers of size 88
                        3/8/2014 -- 14:37:18 - <info> -- defrag memory usage: 6553512 bytes, maximum: 33554432
                        3/8/2014 -- 14:37:18 - <info> -- AutoFP mode using "Active Packets" flow load balancer
                        3/8/2014 -- 14:37:18 - <info> -- preallocated 1024 packets. Total memory 3135488
                        3/8/2014 -- 14:37:18 - <info> -- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
                        3/8/2014 -- 14:37:18 - <info> -- preallocated 1000 hosts of size 60
                        3/8/2014 -- 14:37:18 - <info> -- host memory usage: 109152 bytes, maximum: 16777216
                        3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
                        3/8/2014 -- 14:37:18 - <info> -- preallocated 10000 flows of size 144
                        3/8/2014 -- 14:37:18 - <info> -- flow memory usage: 2226432 bytes, maximum: 33554432
                        3/8/2014 -- 14:37:18 - <info> -- IP reputation disabled
                        3/8/2014 -- 14:37:18 - <info> -- Added "35" classification types from the classification file
                        3/8/2014 -- 14:37:18 - <info> -- Added "19" reference types from the reference.config file
                        3/8/2014 -- 14:37:18 - <info> -- using magic-file /usr/share/misc/magic
                        3/8/2014 -- 14:37:18 - <info> -- Delayed detect disabled
                        3/8/2014 -- 14:37:45 - <info> -- 2 rule files processed. 14865 rules successfully loaded, 0 rules failed
                        3/8/2014 -- 14:38:47 - <info> -- 14873 signatures processed. 891 are IP-only rules, 4227 are inspecting packet payload, 11353 inspect application layer, 0 are decoder event only
                        3/8/2014 -- 14:38:47 - <info> -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
                        3/8/2014 -- 14:38:52 - <info> -- building signature grouping structure, stage 2: building source address list... complete
                        3/8/2014 -- 14:39:46 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
                        3/8/2014 -- 14:40:03 - <info> -- Threshold config parsed: 0 rule(s) found
                        3/8/2014 -- 14:40:03 - <info> -- Core dump size is unlimited.
                        3/8/2014 -- 14:40:03 - <info> -- fast output device (regular) initialized: alerts.log
                        3/8/2014 -- 14:40:03 - <info> -- http-log output device (regular) initialized: http.log
                        3/8/2014 -- 14:40:03 - <info> -- Using 1 live device(s).
                        3/8/2014 -- 14:40:04 - <info> -- using interface ath0_wlan1
                        3/8/2014 -- 14:40:04 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
                        3/8/2014 -- 14:40:04 - <info> -- Found an MTU of 1500 for 'ath0_wlan1'
                        3/8/2014 -- 14:40:04 - <info> -- Set snaplen to 1500 for 'ath0_wlan1'
                        3/8/2014 -- 14:40:04 - <info> -- RunModeIdsPcapAutoFp initialised
                        3/8/2014 -- 14:40:04 - <info> -- stream "max-sessions": 262144
                        3/8/2014 -- 14:40:04 - <info> -- stream "prealloc-sessions": 32768
                        3/8/2014 -- 14:40:04 - <info> -- stream "memcap": 33554432
                        3/8/2014 -- 14:40:04 - <info> -- stream "midstream" session pickups: disabled
                        3/8/2014 -- 14:40:04 - <info> -- stream "async-oneside": disabled
                        3/8/2014 -- 14:40:04 - <info> -- stream "checksum-validation": disabled
                        3/8/2014 -- 14:40:04 - <info> -- stream."inline": disabled
                        3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "memcap": 67108864
                        3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "depth": 0
                        3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toserver-chunk-size": 2560
                        3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toclient-chunk-size": 2560
                        3/8/2014 -- 14:40:04 - <info> -- all 2 packet processing threads, 1 management threads initialized, engine started.
                        3/8/2014 -- 14:40:04 - <info> -- Signal Received.  Stopping engine.
                        3/8/2014 -- 14:40:04 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
                        3/8/2014 -- 14:40:04 - <info> -- time elapsed 0.261s
                        3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Packets 0, bytes 0
                        3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Pcap Total:0 Recv:0 Drop:0 (nan%).
                        3/8/2014 -- 14:40:04 - <info> -- AutoFP - Total flow handler queues - 1
                        3/8/2014 -- 14:40:04 - <info> -- AutoFP - Queue 0  - pkts: 0            flows: 0           
                        3/8/2014 -- 14:40:04 - <info> -- Stream TCP processed 0 TCP packets
                        3/8/2014 -- 14:40:04 - <info> -- Fast log output wrote 0 alerts
                        3/8/2014 -- 14:40:04 - <info> -- HTTP logger logged 0 requests
                        3/8/2014 -- 14:40:04 - <info> -- host memory usage: 109152 bytes, maximum: 16777216
                        3/8/2014 -- 14:40:05 - <info> -- cleaning up signature grouping structure... complete
                        3/8/2014 -- 14:40:06 - <error> -- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>
                        

                        That's a wifi interface off Pfsense

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          [[user:consent.lead]]
                          [[user:consent.not_received]]