pfSense 2.5.0 Suricata daemon refuses to start
-
Good Morning!
I'm wondering whether anyone else has run into a problem with a clean install of Suricata failing to start.
The following is the output from the Suricata log.
16/9/2020 -- 09:26:54 - <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
16/9/2020 -- 09:26:54 - <Info> -- CPUs/cores online: 8
16/9/2020 -- 09:26:54 - <Info> -- HTTP memcap: 67108864
16/9/2020 -- 09:26:54 - <Notice> -- using flow hash instead of active packets
16/9/2020 -- 09:26:54 - <Info> -- fast output device (regular) initialized: alerts.log
16/9/2020 -- 09:26:54 - <Info> -- http-log output device (regular) initialized: http.log
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 205
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/.jpg\x20HTTP/1.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 230
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 361
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: /|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 419
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:2;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 578
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:2;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 579
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:3;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 737
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,0,1,relative,little,bitmask 0x8000
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 871
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 897
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,1,1,relative,little,bitmask 0x8000
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 1035
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
16/9/2020 -- 09:26:54 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"NSC_USER:"; http_raw_header; content:"../"; within:10; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027; classtype:web-application-attack; sid:52620; rev:1;)" from file /usr/local/etc/suricata/suricata_24113_xn1.48/rules/suricata.rules at line 1091
16/9/2020 -- 09:26:54 - <Info> -- 1 rule files processed. 1377 rules successfully loaded, 11 rules failed
16/9/2020 -- 09:26:54 - <Info> -- Threshold config parsed: 0 rule(s) found
16/9/2020 -- 09:26:54 - <Info> -- 1378 signatures processed. 0 are IP-only rules, 363 are inspecting packet payload, 734 inspect application layer, 103 are decoder event only
16/9/2020 -- 09:26:55 - <Info> -- Using 1 live device(s).
16/9/2020 -- 09:26:55 - <Info> -- using interface xn1.48
16/9/2020 -- 09:26:55 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
16/9/2020 -- 09:26:55 - <Info> -- Set snaplen to 1518 for 'xn1.48'
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
16/9/2020 -- 09:26:56 - <Info> -- RunModeIdsPcapAutoFp initialised
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#08" failed to initialize: flags 0145
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting... -
I just got the following crash alert:
Crash report begins. Anonymous machine information:
amd64
12.2-PRERELEASE
FreeBSD 12.2-PRERELEASE e8a228fe328(devel-12) pfSenseCrash report details:
PHP Errors:
[16-Sep-2020 09:11:21 America/Los_Angeles] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 448No FreeBSD crash data found.
-
@wlp94611 said in pfSense 2.5.0 Suricata daemon refuses to start:
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?Here is the problem with your failure to start --
16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error 16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed 16/9/2020 -- 09:26:56 - <Error> -- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?You need to do exactly what that error message says. Expand your TCP Stream Memcap limit. This limit needs to be substantially increased with high core-count CPUs. The default is fine for most systems, but if you have a high core-count CPU (6 cores or more), then you will need to bump the Stream Memcap value up. Start with 128 MB and go up from there until Suricata starts. The value can be found on the FLOW/STREAM tab for the interface.
-
@wlp94611 said in pfSense 2.5.0 Suricata daemon refuses to start:
I just got the following crash alert:
Crash report begins. Anonymous machine information:
amd64
12.2-PRERELEASE
FreeBSD 12.2-PRERELEASE e8a228fe328(devel-12) pfSenseCrash report details:
PHP Errors:
[16-Sep-2020 09:11:21 America/Los_Angeles] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 448No FreeBSD crash data found.
This is simply a warning message. You can delete the error report from the pfSense Dashboard.
-
Thank-you @bmeeks for the learning experience. Bumping the memory alloc to 128GB solved the problem.
Best regards!
