Suricata keeps getting disabled
-
I'm having to manually start Suricata after a few hours or so because it keeps getting disabled.
Last 50 system log entries Aug 30 12:17:23 suricata: 30/8/2014 -- 12:17:23 - <info>-- using magic-file /usr/share/misc/magic Aug 30 12:17:23 suricata: 30/8/2014 -- 12:17:23 - <info>-- Delayed detect disabled Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418 Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418 Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419 Aug 30 12:17:28 suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419 Aug 30 12:17:32 suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o Aug 30 12:17:32 suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o Aug 30 12:17:32 suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul Aug 30 12:17:32 suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul Aug 30 12:17:39 suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules Aug 30 12:17:39 suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules Aug 30 12:17:39 suricata: 30/8/2014 -- 12:17:39 - <info>-- 2 rule files processed. 15527 rules successfully loaded, 3 rules failed Aug 30 12:18:41 suricata: 30/8/2014 -- 12:18:41 - <info>-- 15541 signatures processed. 23 are IP-only rules, 5193 are inspecting packet payload, 12337 inspect application layer, 77 are decoder event only Aug 30 12:18:41 suricata: 30/8/2014 -- 12:18:41 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete Aug 30 12:18:42 suricata: 30/8/2014 -- 12:18:42 - <info>-- building signature grouping structure, stage 2: building source address list... complete Aug 30 12:18:48 suricata: 30/8/2014 -- 12:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete Aug 30 12:18:55 suricata: 30/8/2014 -- 12:18:55 - <info>-- Threshold config parsed: 0 rule(s) found Aug 30 12:18:55 suricata: 30/8/2014 -- 12:18:55 - <info>-- Core dump size is unlimited. Aug 30 12:18:55 suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output device (regular) initialized: block.log Aug 30 12:18:55 suricata: 30/8/2014 -- 12:18:55 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/passlist parsed: 7 IP addresses loaded. Aug 30 12:18:55 suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=off Aug 30 12:18:55 suricata: 30/8/2014 -- 12:18:55 - <info>-- fast output device (regular) initialized: alerts.log Aug 30 12:18:55 suricata: 30/8/2014 -- 12:18:55 - <info>-- http-log output device (regular) initialized: http.log Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Syslog output initialized Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Using 1 live device(s). Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using interface nfe0 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Found an MTU of 1500 for 'nfe0' Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Set snaplen to 1500 for 'nfe0' Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using magic-file /usr/share/misc/magic Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- returning 0x80d7ffe98 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- RunModeIdsPcapAutoFp initialised Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "max-sessions": 262144 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "prealloc-sessions": 32768 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "memcap": 33554432 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "midstream" session pickups: disabled Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "async-oneside": disabled Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "checksum-validation": disabled Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream."inline": disabled Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "memcap": 67108864 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "depth": 0 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560 Aug 30 12:18:55 suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started. Aug 30 12:18:57 suricata[47918]: 30/8/2014 -- 12:18:57 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></error></error></error></error></error></error></error></error></error></error></error></error></info></info>
EDIT: Here is the part of the log where Suricata throws the error:
Aug 30 11:28:03 suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly Aug 30 11:28:03 suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></error>
-
My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file. The SID is listed in the error message of each one. The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.
An update to the 2.0.3 binary is currently under review by the pfSense team. I posted it earlier this week.
Bill
-
My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file. The SID is listed in the error message of each one. The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.
An update to the 2.0.3 binary is currently under review by the pfSense team. I posted it earlier this week.
Bill
Thanks Bill, i will do that now.
-
It's happening to me to so I am leaving it disabled until the update comes out. I check daily for a package update.