Multiple problems with Suricata service - (instability and crashes)
-
I have Suricata enabled for two interfaces WAN and LAN (which is a bridge of LAN1 and LAN2 which are two ports on an intel 4port 10/100/1000 card).
- When I click the icon to stop Suricata on an interface, the page reloads, but nothing was stopped.
–(At this point, the only way I can get that to function again is to stop the service from Status->Services) - Many times when I check, the LAN interface will show as not running, and I have to start it again.
- When I click the icon to stop Suricata on an interface, the page reloads, but nothing was stopped.
-
So far the issue with LAN monitoring spontaneously disabling itself only seems to happen when I have Suricata running on LAN and WAN at the same time.
I disabled it on WAN and I haven't seen this occur yet.The other issue still applies.
-
When you click on the stop icon, it will take some time to stop, just let it be and click "refresh" until it stops by itself.
Run this command at the CLI, to make sure that you have only one process of Suricata running per interface. When it stops, it should not report any PIDS.
pgrep suricata
-
Ok, it stopped on its own somewhere between 11:24pm (last detection) yesterday and 9am today with no interaction from me.
This time it was running on the LAN interface only.
And
$ pgrep suricata
as well as
$ ps -ax |grep suricata 10944 ?? S 0:00.00 sh -c ps -ax |grep suricata 2>&1 11194 ?? S 0:00.00 grep suricata
Here's what I was able to pull remotely from the UI for suricata.log
18/7/2014 -- 06:48:36 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12 18/7/2014 -- 06:48:37 - <info>-- preallocated 65535 defrag trackers of size 88 18/7/2014 -- 06:48:37 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432 18/7/2014 -- 06:48:37 - <info>-- AutoFP mode using "Active Packets" flow load balancer 18/7/2014 -- 06:48:37 - <info>-- preallocated 1024 packets. Total memory 3135488 18/7/2014 -- 06:48:37 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12 18/7/2014 -- 06:48:37 - <info>-- preallocated 1000 hosts of size 60 18/7/2014 -- 06:48:37 - <info>-- host memory usage: 109152 bytes, maximum: 16777216 18/7/2014 -- 06:48:37 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12 18/7/2014 -- 06:48:37 - <info>-- preallocated 10000 flows of size 144 18/7/2014 -- 06:48:37 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432 18/7/2014 -- 06:48:37 - <info>-- IP reputation disabled 18/7/2014 -- 06:48:37 - <info>-- Added "35" classification types from the classification file 18/7/2014 -- 06:48:37 - <info>-- Added "19" reference types from the reference.config file 18/7/2014 -- 06:48:37 - <info>-- using magic-file /usr/share/misc/magic 18/7/2014 -- 06:48:37 - <info>-- Delayed detect disabled 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content. Invalidating signature. 18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490 18/7/2014 -- 06:49:05 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed 18/7/2014 -- 06:49:30 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only 18/7/2014 -- 06:49:30 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 18/7/2014 -- 06:49:32 - <info>-- building signature grouping structure, stage 2: building source address list... complete 18/7/2014 -- 06:49:49 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete 18/7/2014 -- 06:49:55 - <info>-- Threshold config parsed: 2 rule(s) found 18/7/2014 -- 06:49:55 - <info>-- Core dump size is unlimited. 18/7/2014 -- 06:49:55 - <info>-- fast output device (regular) initialized: alerts.log 18/7/2014 -- 06:49:55 - <info>-- Using 1 live device(s). 18/7/2014 -- 06:49:55 - <info>-- using interface bridge0 18/7/2014 -- 06:49:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 18/7/2014 -- 06:49:55 - <info>-- Found an MTU of 1500 for 'bridge0' 18/7/2014 -- 06:49:55 - <info>-- Set snaplen to 1500 for 'bridge0' 18/7/2014 -- 06:49:55 - <info>-- RunModeIdsPcapAutoFp initialised 18/7/2014 -- 06:49:55 - <info>-- stream "max-sessions": 262144 18/7/2014 -- 06:49:55 - <info>-- stream "prealloc-sessions": 32768 18/7/2014 -- 06:49:55 - <info>-- stream "memcap": 33554432 18/7/2014 -- 06:49:55 - <info>-- stream "midstream" session pickups: disabled 18/7/2014 -- 06:49:55 - <info>-- stream "async-oneside": disabled 18/7/2014 -- 06:49:55 - <info>-- stream "checksum-validation": disabled 18/7/2014 -- 06:49:55 - <info>-- stream."inline": disabled 18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "memcap": 67108864 18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "depth": 0 18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560 18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560 18/7/2014 -- 06:49:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started. 18/7/2014 -- 06:49:55 - <info>-- Signal Received. Stopping engine. 18/7/2014 -- 06:49:55 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state 18/7/2014 -- 06:49:55 - <info>-- time elapsed 0.091s 18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Packets 0, bytes 0 18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Pcap Total:5 Recv:5 Drop:0 (0.0%). 18/7/2014 -- 06:49:55 - <info>-- AutoFP - Total flow handler queues - 1 18/7/2014 -- 06:49:55 - <info>-- AutoFP - Queue 0 - pkts: 0 flows: 0 18/7/2014 -- 06:49:55 - <info>-- Stream TCP processed 0 TCP packets 18/7/2014 -- 06:49:55 - <info>-- Fast log output wrote 0 alerts 18/7/2014 -- 06:49:55 - <info>-- host memory usage: 109152 bytes, maximum: 16777216 18/7/2014 -- 06:49:56 - <info>-- cleaning up signature grouping structure... complete 18/7/2014 -- 06:49:57 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>
-
It stopped again, this time running exclusively on that interface
21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12 21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88 21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432 21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer 21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488 21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12 21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60 21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216 21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12 21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144 21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432 21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled 21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file 21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file 21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic 21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content. Invalidating signature. 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490 21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed 21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only 21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete 21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete 21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found 21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited. 21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log 21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s). 21/7/2014 -- 09:18:54 - <info>-- using interface bridge0 21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0' 21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0' 21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised 21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144 21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768 21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432 21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled 21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled 21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled 21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560 21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started. 21/7/2014 -- 09:18:54 - <info>-- Signal Received. Stopping engine. 21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state 21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s 21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0 21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%). 21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1 21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0 - pkts: 0 flows: 0 21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets 21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts 21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216 21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete 21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>
-
It stopped again, this time running exclusively on that interface
21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12 21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88 21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432 21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer 21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488 21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12 21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60 21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216 21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12 21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144 21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432 21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled 21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file 21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file 21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic 21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content. Invalidating signature. 21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490 21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed 21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only 21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete 21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete 21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found 21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited. 21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log 21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s). 21/7/2014 -- 09:18:54 - <info>-- using interface bridge0 21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0' 21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0' 21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised 21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144 21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768 21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432 21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled 21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled 21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled 21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560 21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560 21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started. 21/7/2014 -- 09:18:54 - <info>-- Signal Received. Stopping engine. 21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state 21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s 21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0 21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%). 21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1 21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0 - pkts: 0 flows: 0 21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets 21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts 21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216 21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete 21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>
You appear to be running the Snort VRT ruleset with Suricata. While most of the rules will work, some don't compile at all, and some may not compile correctly. You can see the errors from the "failed to compile" rules in your logs. Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense). The Emerging Threats rules should all compile and run without a problem. Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.
I am working on an update to bring Suricata to the 2.0.2 binary on pfSense. Hopefully I can get that out in about a month – or maybe less. I have it working in my test environment. Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.
My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata. When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.
Bill
-
You appear to be running the Snort VRT ruleset with Suricata. While most of the rules will work, some don't compile at all, and some may not compile correctly. You can see the errors from the "failed to compile" rules in your logs. Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense). The Emerging Threats rules should all compile and run without a problem. Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.
I am working on an update to bring Suricata to the 2.0.2 binary on pfSense. Hopefully I can get that out in about a month – or maybe less. I have it working in my test environment. Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.
My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata. When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.
Bill
I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface. If I have it running on WAN, that doesn't happen.
EDIT, left out the important part of that.
Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN. -
You appear to be running the Snort VRT ruleset with Suricata. While most of the rules will work, some don't compile at all, and some may not compile correctly. You can see the errors from the "failed to compile" rules in your logs. Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense). The Emerging Threats rules should all compile and run without a problem. Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.
I am working on an update to bring Suricata to the 2.0.2 binary on pfSense. Hopefully I can get that out in about a month – or maybe less. I have it working in my test environment. Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.
My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata. When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.
Bill
I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface. If I have it running on WAN, that doesn't happen.
EDIT, left out the important part of that.
Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN.When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them? If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not. Perhaps some other users can chime in here with their experience…
Bill
-
When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them? If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not. Perhaps some other users can chime in here with their experience…
Bill
The Lan interface is a bridge of ports em0 and em1.
em0 goes to a switch
em1 goes to an access point -
When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them? If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not. Perhaps some other users can chime in here with their experience…
Bill
The Lan interface is a bridge of ports em0 and em1.
em0 goes to a switch
em1 goes to an access pointWell, it could very well be the bridge configuration that is tripping up Suricata. Do you have "block offenders" enabled or not? If you do, try turning it off to see if that helps. That will eliminate some of the Suricata code. Please report back with the results as it can help me troubleshoot.
Bill
-
It crashed a few times on my guest wifi network.
3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 65535 defrag trackers of size 88 3/8/2014 -- 14:37:18 - <info> -- defrag memory usage: 6553512 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- AutoFP mode using "Active Packets" flow load balancer 3/8/2014 -- 14:37:18 - <info> -- preallocated 1024 packets. Total memory 3135488 3/8/2014 -- 14:37:18 - <info> -- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 1000 hosts of size 60 3/8/2014 -- 14:37:18 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 10000 flows of size 144 3/8/2014 -- 14:37:18 - <info> -- flow memory usage: 2226432 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- IP reputation disabled 3/8/2014 -- 14:37:18 - <info> -- Added "35" classification types from the classification file 3/8/2014 -- 14:37:18 - <info> -- Added "19" reference types from the reference.config file 3/8/2014 -- 14:37:18 - <info> -- using magic-file /usr/share/misc/magic 3/8/2014 -- 14:37:18 - <info> -- Delayed detect disabled 3/8/2014 -- 14:37:45 - <info> -- 2 rule files processed. 14865 rules successfully loaded, 0 rules failed 3/8/2014 -- 14:38:47 - <info> -- 14873 signatures processed. 891 are IP-only rules, 4227 are inspecting packet payload, 11353 inspect application layer, 0 are decoder event only 3/8/2014 -- 14:38:47 - <info> -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 3/8/2014 -- 14:38:52 - <info> -- building signature grouping structure, stage 2: building source address list... complete 3/8/2014 -- 14:39:46 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete 3/8/2014 -- 14:40:03 - <info> -- Threshold config parsed: 0 rule(s) found 3/8/2014 -- 14:40:03 - <info> -- Core dump size is unlimited. 3/8/2014 -- 14:40:03 - <info> -- fast output device (regular) initialized: alerts.log 3/8/2014 -- 14:40:03 - <info> -- http-log output device (regular) initialized: http.log 3/8/2014 -- 14:40:03 - <info> -- Using 1 live device(s). 3/8/2014 -- 14:40:04 - <info> -- using interface ath0_wlan1 3/8/2014 -- 14:40:04 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 3/8/2014 -- 14:40:04 - <info> -- Found an MTU of 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- Set snaplen to 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- RunModeIdsPcapAutoFp initialised 3/8/2014 -- 14:40:04 - <info> -- stream "max-sessions": 262144 3/8/2014 -- 14:40:04 - <info> -- stream "prealloc-sessions": 32768 3/8/2014 -- 14:40:04 - <info> -- stream "memcap": 33554432 3/8/2014 -- 14:40:04 - <info> -- stream "midstream" session pickups: disabled 3/8/2014 -- 14:40:04 - <info> -- stream "async-oneside": disabled 3/8/2014 -- 14:40:04 - <info> -- stream "checksum-validation": disabled 3/8/2014 -- 14:40:04 - <info> -- stream."inline": disabled 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "memcap": 67108864 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "depth": 0 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toserver-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toclient-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- all 2 packet processing threads, 1 management threads initialized, engine started. 3/8/2014 -- 14:40:04 - <info> -- Signal Received. Stopping engine. 3/8/2014 -- 14:40:04 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state 3/8/2014 -- 14:40:04 - <info> -- time elapsed 0.261s 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Packets 0, bytes 0 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Pcap Total:0 Recv:0 Drop:0 (nan%). 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Total flow handler queues - 1 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Queue 0 - pkts: 0 flows: 0 3/8/2014 -- 14:40:04 - <info> -- Stream TCP processed 0 TCP packets 3/8/2014 -- 14:40:04 - <info> -- Fast log output wrote 0 alerts 3/8/2014 -- 14:40:04 - <info> -- HTTP logger logged 0 requests 3/8/2014 -- 14:40:04 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:40:05 - <info> -- cleaning up signature grouping structure... complete 3/8/2014 -- 14:40:06 - <error> -- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>
That's a wifi interface off Pfsense