Suricata stops after 10 seconds



  • Hi all,

    For some reason i'm not able to find out Suricata is not able to start.
    PFsense 2.3_1
    x86 full install
    Suricata v. 3.0_7

    I used it on WAN interface which is PPPoE.The log looks like this:
    30/5/2016 – 20:51:35 - <notice>-- This is Suricata version 3.0 RELEASE
    30/5/2016 -- 20:51:35 - <info>-- CPUs/cores online: 8
    30/5/2016 -- 20:51:35 - <info>-- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
    30/5/2016 -- 20:51:35 - <info>-- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
    30/5/2016 -- 20:51:35 - <info>-- HTTP memcap: 67108864
    30/5/2016 -- 20:51:35 - <info>-- DNS request flood protection level: 500
    30/5/2016 -- 20:51:35 - <info>-- DNS per flow memcap (state-memcap): 524288
    30/5/2016 -- 20:51:35 - <info>-- DNS global memcap: 16777216
    30/5/2016 -- 20:51:35 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    30/5/2016 -- 20:51:35 - <info>-- preallocated 65535 defrag trackers of size 136
    30/5/2016 -- 20:51:35 - <info>-- defrag memory usage: 10485624 bytes, maximum: 33554432
    30/5/2016 -- 20:51:35 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    30/5/2016 -- 20:51:35 - <info>-- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
    30/5/2016 -- 20:51:35 - <info>-- preallocated 1000 hosts of size 104
    30/5/2016 -- 20:51:35 - <info>-- host memory usage: 366144 bytes, maximum: 16777216
    30/5/2016 -- 20:51:35 - <info>-- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
    30/5/2016 -- 20:51:35 - <info>-- preallocated 10000 flows of size 256
    30/5/2016 -- 20:51:35 - <info>-- flow memory usage: 6754304 bytes, maximum: 33554432
    30/5/2016 -- 20:51:35 - <info>-- stream "prealloc-sessions": 32768 (per thread)
    30/5/2016 -- 20:51:35 - <info>-- stream "memcap": 67108864
    30/5/2016 -- 20:51:35 - <info>-- stream "midstream" session pickups: disabled
    30/5/2016 -- 20:51:35 - <info>-- stream "async-oneside": disabled
    30/5/2016 -- 20:51:35 - <info>-- stream "checksum-validation": disabled
    30/5/2016 -- 20:51:35 - <info>-- stream."inline": disabled
    30/5/2016 -- 20:51:35 - <info>-- stream "max-synack-queued": 5
    30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "memcap": 67108864
    30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "depth": 0
    30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "toserver-chunk-size": 2560
    30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "toclient-chunk-size": 2596
    30/5/2016 -- 20:51:35 - <info>-- stream.reassembly.raw: enabled
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 4, prealloc 256
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 16, prealloc 512
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 112, prealloc 512
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 248, prealloc 512
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 512, prealloc 512
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 768, prealloc 1024
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 1448, prealloc 1024
    30/5/2016 -- 20:51:35 - <info>-- segment pool: pktsize 65535, prealloc 128
    30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "chunk-prealloc": 250
    30/5/2016 -- 20:51:35 - <info>-- stream.reassembly "zero-copy-size": 128
    30/5/2016 -- 20:51:35 - <info>-- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
    30/5/2016 -- 20:51:35 - <info>-- preallocated 1000 ippairs of size 104
    30/5/2016 -- 20:51:35 - <info>-- ippair memory usage: 366144 bytes, maximum: 16777216
    30/5/2016 -- 20:51:35 - <info>-- using magic-file /usr/share/misc/magic
    30/5/2016 -- 20:51:35 - <info>-- Delayed detect disabled
    30/5/2016 -- 20:51:35 - <info>-- IP reputation disabled
    30/5/2016 -- 20:51:35 - <info>-- Loading rule file: /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules
    30/5/2016 -- 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 70
    30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 103
    30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/.jpg\x20HTTP/1.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+.com.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 138
    30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:35 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 196
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 300
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 301
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=\%2Fload\.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 307
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 425
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: /|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 429
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 614
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 615
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 660
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 665
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; http_client_body; content:"&admin="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&hid="; distance:0; http_client_body; content:"&arc="; distance:0; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 792
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    30/5/2016 – 20:51:36 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 793
    30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified.  The right options are (string, hex), (string, oct) or (string, dec)
    30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_server,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"]span\s=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36007; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 20126
    30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified.  The right options are (string, hex), (string, oct) or (string, dec)
    30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_client,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"]span\s=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36006; rev:2;)" from file /usr/local/etc/suricata/suricata_31451_pppoe1/rules/suricata.rules at line 20127
    30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    30/5/2016 – 20:51:56 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>



  • Do a quick search through this forum and you will find the solution.  You need to increase the STREAM memory settings.  Off the top of my head I don't recall the exact parameter.  Search for this error either here or on Google to find the exact parameter to tweak:

    
    [ERRCODE: SC_ERR_POOL_INIT(66)] 
    
    

    All those other errors are caused by running Snort VRT rules on Suricata.  There are many Snort VRT rules that Suricata will not digest and will discard and not use because they contain unsupported rule options.

    Bill