Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - prefix or user NULL

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 1 Posters 951 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nikkon
      last edited by

      Hi all,

      Today, for some reason suricata stopped.
      I tryied to find out my latest changes in the suppress list & even deleting all it's the same.

      Suricata.log looks like this:

      30/3/2017 – 15:02:19 - <notice>-- This is Suricata version 3.1.2 RELEASE
      30/3/2017 -- 15:02:19 - <info>-- CPUs/cores online: 8
      30/3/2017 -- 15:02:19 - <info>-- HTTP memcap: 67108864
      30/3/2017 -- 15:02:19 - <notice>-- using flow hash instead of active packets
      30/3/2017 -- 15:02:38 - <info>-- 2 rule files processed. 19613 rules successfully loaded, 0 rules failed
      30/3/2017 -- 15:02:38 - <info>-- 19619 signatures processed. 1289 are IP-only rules, 5983 are inspecting packet payload, 14662 inspect application layer, 101 are decoder event only
      30/3/2017 -- 15:02:45 - <info>-- Threshold config parsed: 0 rule(s) found
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface em0 IPv6 address fe80:0000:0000:0000:021b:21ff:fe98:42b7 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface igb1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:9e79 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface igb1 IPv4 address 10.20.30.1 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lagg0 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:9e7a to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lagg0 IPv4 address 192.168.100.1 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface lagg0 IPv4 address 10.10.10.1 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface pppoe0 IPv6 address fe80:0000:0000:0000:0000:0000:bc1a:db37 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface pppoe0 IPv4 address 188.26.219.55 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:021b:21ff:fe98:42b7 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf -> adding firewall interface ovpns1 IPv4 address 10.20.30.1 to automatic interface IP Pass List.
      30/3/2017 -- 15:02:45 - <info>-- alert-pf output device (regular) initialized: block.log
      30/3/2017 -- 15:02:45 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENTS(52)] - prefix or user NULL

      any clues on this?</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></notice>

      pfsense 2.3.4 on Supermicro A1SRi-2758F + 8GB ECC + SSD

      Happy PfSense user :)

      1 Reply Last reply Reply Quote 0
      • N
        nikkon
        last edited by

        i reinstalled the pkg and now after reloading all rules i got a different issue:

        31/3/2017 – 08:50:26 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
        31/3/2017 – 08:50:26 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_46241_pppoe0/rules/suricata.rules at line 27527
        31/3/2017 – 08:50:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
        31/3/2017 – 08:50:27 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /usr/local/etc/suricata/suricata_46241_pppoe0/rules/suricata.rules at line 28480
        31/3/2017 – 08:50:27 - <info>-- 1 rule files processed. 28653 rules successfully loaded, 35 rules failed
        31/3/2017 -- 08:50:28 - <info>-- 28659 signatures processed. 1278 are IP-only rules, 8453 are inspecting packet payload, 21468 inspect application layer, 101 are decoder event only
        31/3/2017 -- 08:50:38 - <info>-- Threshold config parsed: 0 rule(s) found
        31/3/2017 -- 08:50:38 - <info>-- fast output device (regular) initialized: alerts.log
        31/3/2017 -- 08:50:38 - <info>-- http-log output device (regular) initialized: http.log
        31/3/2017 -- 08:50:38 - <info>-- Syslog output initialized
        31/3/2017 -- 08:50:38 - <info>-- Using 1 live device(s).
        31/3/2017 -- 08:50:38 - <info>-- using interface pppoe0
        31/3/2017 -- 08:50:38 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
        31/3/2017 -- 08:50:38 - <info>-- Found an MTU of 1492 for 'pppoe0'
        31/3/2017 -- 08:50:38 - <info>-- Set snaplen to 1516 for 'pppoe0'
        31/3/2017 -- 08:50:38 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
        31/3/2017 – 08:50:38 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed</error></error></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error>

        pfsense 2.3.4 on Supermicro A1SRi-2758F + 8GB ECC + SSD

        Happy PfSense user :)

        1 Reply Last reply Reply Quote 0
        • N
          nikkon
          last edited by

          can be closed.
          problem was solved by increasing the Flow Memory Cap and Stream Memory Cap to 128MB

          pfsense 2.3.4 on Supermicro A1SRi-2758F + 8GB ECC + SSD

          Happy PfSense user :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.