Multiple problems with Suricata service - (instability and crashes)

Trel · Jul 24, 2014, 1:23 PM

I have Suricata enabled for two interfaces WAN and LAN (which is a bridge of LAN1 and LAN2 which are two ports on an intel 4port 10/100/1000 card).

When I click the icon to stop Suricata on an interface, the page reloads, but nothing was stopped.
–(At this point, the only way I can get that to function again is to stop the service from Status->Services)
Many times when I check, the LAN interface will show as not running, and I have to start it again.

Trel · Jul 17, 2014, 2:29 PM

So far the issue with LAN monitoring spontaneously disabling itself only seems to happen when I have Suricata running on LAN and WAN at the same time.
I disabled it on WAN and I haven't seen this occur yet.

The other issue still applies.

BBcan177 · Jul 17, 2014, 2:46 PM

When you click on the stop icon, it will take some time to stop, just let it be and click "refresh" until it stops by itself.

Run this command at the CLI, to make sure that you have only one process of Suricata running per interface. When it stops, it should not report any PIDS.

pgrep suricata

Trel · Jul 18, 2014, 1:33 PM

Ok, it stopped on its own somewhere between 11:24pm (last detection) yesterday and 9am today with no interaction from me.

This time it was running on the LAN interface only.

And


$ pgrep suricata

as well as


$ ps -ax |grep suricata
10944  ??  S      0:00.00 sh -c ps -ax |grep suricata 2>&1
11194  ??  S      0:00.00 grep suricata

Here's what I was able to pull remotely from the UI for suricata.log


18/7/2014 -- 06:48:36 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
18/7/2014 -- 06:48:37 - <info>-- preallocated 65535 defrag trackers of size 88
18/7/2014 -- 06:48:37 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
18/7/2014 -- 06:48:37 - <info>-- AutoFP mode using "Active Packets" flow load balancer
18/7/2014 -- 06:48:37 - <info>-- preallocated 1024 packets. Total memory 3135488
18/7/2014 -- 06:48:37 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
18/7/2014 -- 06:48:37 - <info>-- preallocated 1000 hosts of size 60
18/7/2014 -- 06:48:37 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
18/7/2014 -- 06:48:37 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
18/7/2014 -- 06:48:37 - <info>-- preallocated 10000 flows of size 144
18/7/2014 -- 06:48:37 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
18/7/2014 -- 06:48:37 - <info>-- IP reputation disabled
18/7/2014 -- 06:48:37 - <info>-- Added "35" classification types from the classification file
18/7/2014 -- 06:48:37 - <info>-- Added "19" reference types from the reference.config file
18/7/2014 -- 06:48:37 - <info>-- using magic-file /usr/share/misc/magic
18/7/2014 -- 06:48:37 - <info>-- Delayed detect disabled
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
18/7/2014 -- 06:49:05 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
18/7/2014 -- 06:49:30 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
18/7/2014 -- 06:49:30 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
18/7/2014 -- 06:49:32 - <info>-- building signature grouping structure, stage 2: building source address list... complete
18/7/2014 -- 06:49:49 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
18/7/2014 -- 06:49:55 - <info>-- Threshold config parsed: 2 rule(s) found
18/7/2014 -- 06:49:55 - <info>-- Core dump size is unlimited.
18/7/2014 -- 06:49:55 - <info>-- fast output device (regular) initialized: alerts.log
18/7/2014 -- 06:49:55 - <info>-- Using 1 live device(s).
18/7/2014 -- 06:49:55 - <info>-- using interface bridge0
18/7/2014 -- 06:49:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
18/7/2014 -- 06:49:55 - <info>-- Found an MTU of 1500 for 'bridge0'
18/7/2014 -- 06:49:55 - <info>-- Set snaplen to 1500 for 'bridge0'
18/7/2014 -- 06:49:55 - <info>-- RunModeIdsPcapAutoFp initialised
18/7/2014 -- 06:49:55 - <info>-- stream "max-sessions": 262144
18/7/2014 -- 06:49:55 - <info>-- stream "prealloc-sessions": 32768
18/7/2014 -- 06:49:55 - <info>-- stream "memcap": 33554432
18/7/2014 -- 06:49:55 - <info>-- stream "midstream" session pickups: disabled
18/7/2014 -- 06:49:55 - <info>-- stream "async-oneside": disabled
18/7/2014 -- 06:49:55 - <info>-- stream "checksum-validation": disabled
18/7/2014 -- 06:49:55 - <info>-- stream."inline": disabled
18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "memcap": 67108864
18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "depth": 0
18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560
18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560
18/7/2014 -- 06:49:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
18/7/2014 -- 06:49:55 - <info>-- Signal Received.  Stopping engine.
18/7/2014 -- 06:49:55 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
18/7/2014 -- 06:49:55 - <info>-- time elapsed 0.091s
18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Packets 0, bytes 0
18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Pcap Total:5 Recv:5 Drop:0 (0.0%).
18/7/2014 -- 06:49:55 - <info>-- AutoFP - Total flow handler queues - 1
18/7/2014 -- 06:49:55 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
18/7/2014 -- 06:49:55 - <info>-- Stream TCP processed 0 TCP packets
18/7/2014 -- 06:49:55 - <info>-- Fast log output wrote 0 alerts
18/7/2014 -- 06:49:55 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
18/7/2014 -- 06:49:56 - <info>-- cleaning up signature grouping structure... complete
18/7/2014 -- 06:49:57 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>

Trel · Jul 24, 2014, 1:23 PM

It stopped again, this time running exclusively on that interface


21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88
21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer
21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488
21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60
21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144
21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled
21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file
21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file
21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic
21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete
21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found
21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited.
21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log
21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s).
21/7/2014 -- 09:18:54 - <info>-- using interface bridge0
21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0'
21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0'
21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised
21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144
21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768
21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432
21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled
21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled
21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled
21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560
21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
21/7/2014 -- 09:18:54 - <info>-- Signal Received.  Stopping engine.
21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s
21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0
21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%).
21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1
21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets
21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts
21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete
21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>

bmeeks · Jul 24, 2014, 11:26 PM

@Trel:

It stopped again, this time running exclusively on that interface


21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88
21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer
21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488
21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60
21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144
21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled
21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file
21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file
21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic
21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete
21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found
21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited.
21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log
21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s).
21/7/2014 -- 09:18:54 - <info>-- using interface bridge0
21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0'
21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0'
21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised
21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144
21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768
21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432
21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled
21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled
21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled
21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560
21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560
21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
21/7/2014 -- 09:18:54 - <info>-- Signal Received.  Stopping engine.
21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s
21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0
21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%).
21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1
21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets
21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts
21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete
21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>

You appear to be running the Snort VRT ruleset with Suricata. While most of the rules will work, some don't compile at all, and some may not compile correctly. You can see the errors from the "failed to compile" rules in your logs. Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense). The Emerging Threats rules should all compile and run without a problem. Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

I am working on an update to bring Suricata to the 2.0.2 binary on pfSense. Hopefully I can get that out in about a month – or maybe less. I have it working in my test environment. Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata. When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

Bill

Trel · Jul 25, 2014, 2:02 PM

@bmeeks:

You appear to be running the Snort VRT ruleset with Suricata. While most of the rules will work, some don't compile at all, and some may not compile correctly. You can see the errors from the "failed to compile" rules in your logs. Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense). The Emerging Threats rules should all compile and run without a problem. Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

I am working on an update to bring Suricata to the 2.0.2 binary on pfSense. Hopefully I can get that out in about a month – or maybe less. I have it working in my test environment. Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata. When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

Bill

I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface. If I have it running on WAN, that doesn't happen.

EDIT, left out the important part of that.
Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN.

bmeeks · Jul 25, 2014, 2:58 PM

@Trel:

@bmeeks:

You appear to be running the Snort VRT ruleset with Suricata. While most of the rules will work, some don't compile at all, and some may not compile correctly. You can see the errors from the "failed to compile" rules in your logs. Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense). The Emerging Threats rules should all compile and run without a problem. Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

I am working on an update to bring Suricata to the 2.0.2 binary on pfSense. Hopefully I can get that out in about a month – or maybe less. I have it working in my test environment. Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata. When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

Bill

I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface. If I have it running on WAN, that doesn't happen.

EDIT, left out the important part of that.
Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN.

When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them? If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not. Perhaps some other users can chime in here with their experience…

Bill

Trel · Jul 25, 2014, 10:22 PM

@bmeeks:

When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them? If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not. Perhaps some other users can chime in here with their experience…

Bill

The Lan interface is a bridge of ports em0 and em1.
em0 goes to a switch
em1 goes to an access point

bmeeks · Jul 25, 2014, 10:41 PM

@Trel:

@bmeeks:

When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them? If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not. Perhaps some other users can chime in here with their experience…

Bill

The Lan interface is a bridge of ports em0 and em1.
em0 goes to a switch
em1 goes to an access point

Well, it could very well be the bridge configuration that is tripping up Suricata. Do you have "block offenders" enabled or not? If you do, try turning it off to see if that helps. That will eliminate some of the Suricata code. Please report back with the results as it can help me troubleshoot.

Bill

Trel · Aug 4, 2014, 1:29 PM

It crashed a few times on my guest wifi network.


3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
3/8/2014 -- 14:37:18 - <info> -- preallocated 65535 defrag trackers of size 88
3/8/2014 -- 14:37:18 - <info> -- defrag memory usage: 6553512 bytes, maximum: 33554432
3/8/2014 -- 14:37:18 - <info> -- AutoFP mode using "Active Packets" flow load balancer
3/8/2014 -- 14:37:18 - <info> -- preallocated 1024 packets. Total memory 3135488
3/8/2014 -- 14:37:18 - <info> -- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
3/8/2014 -- 14:37:18 - <info> -- preallocated 1000 hosts of size 60
3/8/2014 -- 14:37:18 - <info> -- host memory usage: 109152 bytes, maximum: 16777216
3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
3/8/2014 -- 14:37:18 - <info> -- preallocated 10000 flows of size 144
3/8/2014 -- 14:37:18 - <info> -- flow memory usage: 2226432 bytes, maximum: 33554432
3/8/2014 -- 14:37:18 - <info> -- IP reputation disabled
3/8/2014 -- 14:37:18 - <info> -- Added "35" classification types from the classification file
3/8/2014 -- 14:37:18 - <info> -- Added "19" reference types from the reference.config file
3/8/2014 -- 14:37:18 - <info> -- using magic-file /usr/share/misc/magic
3/8/2014 -- 14:37:18 - <info> -- Delayed detect disabled
3/8/2014 -- 14:37:45 - <info> -- 2 rule files processed. 14865 rules successfully loaded, 0 rules failed
3/8/2014 -- 14:38:47 - <info> -- 14873 signatures processed. 891 are IP-only rules, 4227 are inspecting packet payload, 11353 inspect application layer, 0 are decoder event only
3/8/2014 -- 14:38:47 - <info> -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
3/8/2014 -- 14:38:52 - <info> -- building signature grouping structure, stage 2: building source address list... complete
3/8/2014 -- 14:39:46 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
3/8/2014 -- 14:40:03 - <info> -- Threshold config parsed: 0 rule(s) found
3/8/2014 -- 14:40:03 - <info> -- Core dump size is unlimited.
3/8/2014 -- 14:40:03 - <info> -- fast output device (regular) initialized: alerts.log
3/8/2014 -- 14:40:03 - <info> -- http-log output device (regular) initialized: http.log
3/8/2014 -- 14:40:03 - <info> -- Using 1 live device(s).
3/8/2014 -- 14:40:04 - <info> -- using interface ath0_wlan1
3/8/2014 -- 14:40:04 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
3/8/2014 -- 14:40:04 - <info> -- Found an MTU of 1500 for 'ath0_wlan1'
3/8/2014 -- 14:40:04 - <info> -- Set snaplen to 1500 for 'ath0_wlan1'
3/8/2014 -- 14:40:04 - <info> -- RunModeIdsPcapAutoFp initialised
3/8/2014 -- 14:40:04 - <info> -- stream "max-sessions": 262144
3/8/2014 -- 14:40:04 - <info> -- stream "prealloc-sessions": 32768
3/8/2014 -- 14:40:04 - <info> -- stream "memcap": 33554432
3/8/2014 -- 14:40:04 - <info> -- stream "midstream" session pickups: disabled
3/8/2014 -- 14:40:04 - <info> -- stream "async-oneside": disabled
3/8/2014 -- 14:40:04 - <info> -- stream "checksum-validation": disabled
3/8/2014 -- 14:40:04 - <info> -- stream."inline": disabled
3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "memcap": 67108864
3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "depth": 0
3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toserver-chunk-size": 2560
3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toclient-chunk-size": 2560
3/8/2014 -- 14:40:04 - <info> -- all 2 packet processing threads, 1 management threads initialized, engine started.
3/8/2014 -- 14:40:04 - <info> -- Signal Received.  Stopping engine.
3/8/2014 -- 14:40:04 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
3/8/2014 -- 14:40:04 - <info> -- time elapsed 0.261s
3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Packets 0, bytes 0
3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Pcap Total:0 Recv:0 Drop:0 (nan%).
3/8/2014 -- 14:40:04 - <info> -- AutoFP - Total flow handler queues - 1
3/8/2014 -- 14:40:04 - <info> -- AutoFP - Queue 0  - pkts: 0            flows: 0           
3/8/2014 -- 14:40:04 - <info> -- Stream TCP processed 0 TCP packets
3/8/2014 -- 14:40:04 - <info> -- Fast log output wrote 0 alerts
3/8/2014 -- 14:40:04 - <info> -- HTTP logger logged 0 requests
3/8/2014 -- 14:40:04 - <info> -- host memory usage: 109152 bytes, maximum: 16777216
3/8/2014 -- 14:40:05 - <info> -- cleaning up signature grouping structure... complete
3/8/2014 -- 14:40:06 - <error> -- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>

That's a wifi interface off Pfsense