Suricata Parse Error (solved)

NollipfSense · Jul 29, 2019, 3:31 AM

Got this Suricata error in Suricata log:

28/7/2019 -- 13:15:05 - <Notice> -- This is Suricata version 4.1.4 RELEASE
28/7/2019 -- 13:15:05 - <Info> -- CPUs/cores online: 8
28/7/2019 -- 13:15:05 - <Info> -- HTTP memcap: 67108864
28/7/2019 -- 13:15:05 - <Notice> -- using flow hash instead of active packets
28/7/2019 -- 13:15:05 - <Info> -- Netmap: Setting IPS mode
28/7/2019 -- 13:15:05 - <Error> -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - invalid size argument - 33,554,432. Valid size argument should be in the format -
xxx <- indicates it is just bytes
xxxkb or xxxKb or xxxKB or xxxkB <- indicates kilobytes
xxxmb or xxxMb or xxxMB or xxxmB <- indicates megabytes
xxxgb or xxxGb or xxxGB or xxxgB <- indicates gigabytes.

28/7/2019 -- 13:15:05 - <Error> -- [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing defrag.memcap from conf file - 33,554,432. Killing engine

However, IP Defragmentation
Fragmentation Memory Cap
33,554,432
Max memory to be used for defragmentation. Default is 33,554,432 bytes (32 MB). Sets the maximum amount of memory, in bytes, to be used by the IP defragmentation engine.

So, I am not understanding why I am getting the error and what to do to correct this. I am using Intel i350 NIC. Flow stream set to 512MB for the 8 core.

NollipfSense · Jul 29, 2019, 3:30 AM

@NollipfSense said in Suricata Parse Error:

<Error> -- [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing defrag.memcap from conf file - <Error> -- [ERRCODE: SC_ERR_SIZE_PARSE(198)] - Error parsing defrag.memcap from conf file - 33,554,432. Killing engine.

Well, this is a little embarrassing however, I got the issue fixed and it's right here (33,554,432)...should have been 33554432. Suricata now runs in inline mode.