Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata IDS 1.4.6 BETA package update v0.3 released

    Scheduled Pinned Locked Moved pfSense Packages
    41 Posts 12 Posters 13.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Suricata 1.4.6 pkg. v0.3-BETA Update Released

      An update to the Suricata package for pfSense has been released.  This is a GUI package update only.  Two significant bug fixes and one new feature are in this update.

      New Feature
      A LOGS MGMT tab is added to the top-level tab menu to provide a means for specifying log size limits and log rotation intervals for the Suricata logs that do not have this capability native within Suricata. You can now specify a size limit after which a log file will be automatically rotated. You can also specify a retention period controlling how long rotated files remain on disk before being automatically deleted. This new capability is available for the following logs: alerts.log, files-json.log, http.log, stats.log, and tls.log. These particular files can become quite large on a busy network and then are difficult to view within the built-in Logs Browser.  Attached at the bottom of this post is a screenshot of the new LOGS MGMT tab.

      Please note that for now the logs are managed by a cron job that executes every 5 minutes.  That means that on a super busy network (or if you have the stats log updating on a very short interval), some of the files may grow a little beyond the limit set on the LOGS MGMT tab before being rotated.  This happens because the size is only checked every 5 minutes.  This gives some logs time to grow in between checks.  Eventually I hope to roll the log limits into the binary itself so that it rotates the logs and the GUI package does not have to do it via cron.

      Bug Fixes
      1.  A disabled Suricata interface would become enabled again upon a reboot of the firewall.

      2.  Multiple instances of Barnyard2 may be started on reboots or when all packages are restarted by the firewall.

      3.  IPv6 display issues in the Suricata Dashboard widget caused text to overrun the right margin.

      4.  Disabling a Suricata interface resulted in a bogus validation error when trying to save the change.

      Bill

      Suricata-LogsMgmt.jpg
      Suricata-LogsMgmt.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • P
        priller
        last edited by

        Overall that's a great implementation for log file rotation.  Thanks!

        What is the timestamp based on?  Not possible/practical to make it a more 'human recognizable' YYYYMMDD…  value?  Would just make it easier to identify the file with the time frame you are looking for.

        timestamp.jpg
        timestamp.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @priller:

          Overall that's a great implementation for log file rotation.  Thanks!

          What is the timestamp based on?  Not possible/practical to make it a more 'human recognizable' YYYYMMDD…  value?  Would just make it easier to identify the file with the time frame you are looking for.

          The timestamp is the vanilla UNIX timestamp (the number of seconds that have elapsed since midnight January 1, 1970).  I used that format because that's what Suricata does for the other logs it does rotate on its own.  I figured consistency with the other logs would be the best way to do it.

          Bill

          1 Reply Last reply Reply Quote 0
          • D
            DiskWizard
            last edited by

            First, I'd like to apologize if my comment is incorrect. I am not the native english speaker.  The tabs "Check" and "Force" have the "opposite" meanings for me. If you want to just "Check" the program shouldn't download anything, just notify me.

            1. GA-N3150M-D3P 8Gb RAM

            2. GA-C1037EN-EU 4GB RAM

            • 2,5 SATA III Solid State Drive SLIM S60
            1 Reply Last reply Reply Quote 0
            • D
              DiskWizard
              last edited by

              ?! Erm, maybe it is considered to be Update&Upgrade meaning updating the rules and upgrading the software accordingly ?!

              1. GA-N3150M-D3P 8Gb RAM

              2. GA-C1037EN-EU 4GB RAM

              • 2,5 SATA III Solid State Drive SLIM S60
              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @DiskWizard:

                ?! Erm, maybe it is considered to be Update&Upgrade meaning updating the rules and upgrading the software accordingly ?!

                The two buttons were intended to work this way.  Your comment about "checking" versus "updating" is valid, though.

                The original behavior was to download the MD5 hash from the publisher's web site and compare the hash to the locally stored hash for the current rules package.  If the hash codes matched, nothing else was done.  If they did not match, new rules would be downloaded and applied to all running Snort processes (according to the specific rules enabled for each process).  There were occasions when a "bad" rules package would be downloaded but the MD5 hash file was OK.  In this situation, in order to get a fresh uncorrupted rules package, a manual edit of the MD5 hash file was required to "force" a mismatch in hash values so a new package would download.  This is what the new FORCE button does.  It downloads a fresh rules package without testing the MD5 hash first.

                Bill

                1 Reply Last reply Reply Quote 0
                • S
                  ScottCall
                  last edited by

                  Is there a trick to getting Suricata to start?  (Do I need to reboot, for example?)

                  The documentation doesn't make this clear and I'm currently unable to start Suricata by clicking on the red "X" icon, I get this in the logs:
                  Apr 14 18:07:38 pf1 php: /suricata/suricata_interfaces.php: Toggle (suricata starting) for XXX(Xxx Internet)…
                  Apr 14 18:07:42 pf1 php: /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: XXX …
                  Apr 14 18:07:45 pf1 php: /suricata/suricata_interfaces.php: [Suricata] Building new sig-msg.map file for XXX…
                  Apr 14 18:07:49 pf1 php: /suricata/suricata_interfaces.php: [Suricata] Suricata START for XXX Internet(igb6)…

                  but then it returns to the config screen with the red X still present and no suricata processes running.

                  I'm running 2.1-RELEASE on 4GB Nano.

                  Please Advise

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    Did you perform a Rules Update? If not, that needs to be done first before it will start.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • S
                      ScottCall
                      last edited by

                      @BBcan17:

                      Did you perform a Rules Update? If not, that needs to be done first before it will start.

                      Yeah before I configured the interfaces and tried to start.

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @ScottCall:

                        @BBcan17:

                        Did you perform a Rules Update? If not, that needs to be done first before it will start.

                        Yeah before I configured the interfaces and tried to start.

                        Thanks

                        Goto the LOGS MGMT tab and open the suricata.log by selecting it in the drop-down selector to view the contents.  See what errors are in there.  Suricata logs it's stuff to its own private log file.  Report back if you see something in there.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • S
                          ScottCall
                          last edited by

                          @bmeeks:

                          Goto the LOGS MGMT tab and open the suricata.log by selecting it in the drop-down selector to view the contents.  See what errors are in there.  Suricata logs it's stuff to its own private log file.  Report back if you see something in there.

                          Bill

                          Thanks Bill.

                          I checked under the "Logs Browser" and none of the logs exist, they all return "Log file does not exist or that logging feature is not enabled."

                          I'm using ETOpen, Snort VRT (free registered) and Snort GPLv2.

                          I'll schedule some time to reboot the firewall to see if that's what it needs.

                          Thanks
                          -S

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            @ScottCall:

                            @bmeeks:

                            Goto the LOGS MGMT tab and open the suricata.log by selecting it in the drop-down selector to view the contents.  See what errors are in there.  Suricata logs it's stuff to its own private log file.  Report back if you see something in there.

                            Bill

                            Thanks Bill.

                            I checked under the "Logs Browser" and none of the logs exist, they all return "Log file does not exist or that logging feature is not enabled."

                            I'm using ETOpen, Snort VRT (free registered) and Snort GPLv2.

                            I'll schedule some time to reboot the firewall to see if that's what it needs.

                            Thanks
                            -S

                            Whoa!  That's certainly not right.  The suricata.log file should always exist as it is created with any attempted start of Suricata.  Something is seriously borked with the Suricata install is my suspicion.  A reboot and possible reinstall of Suricata would be a good start.

                            EDIT UPDATE: just re-read your original post and noticed the NanoBSD mention.  I overlooked that previously. That could be the problem.  There may be some problems with Suricata forgetting to put the file system in R/W mode before it writes configuration information.  I did all my development and testing on regular installs with hard disks (well, virtual hard disks in VMs).  I have not tested Suricata on something like NanoBSD.  You also may not have enough RAM to run Suricata and pfSense.  You said 4 GB, so I assume that is total CF capacity.  The OS is going to take a bit, and then Suricata gets what's left over.  That is not going to be much.

                            Bill

                            1 Reply Last reply Reply Quote 0
                            • S
                              ScottCall
                              last edited by

                              I did the nano install to try pfSense over the existing (commercial, expensive and outdated) install on the boxes.  I've been planning on converting them to HDD based installs anyways, so I'll hold off on suricata until then.

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                @ScottCall:

                                I did the nano install to try pfSense over the existing (commercial, expensive and outdated) install on the boxes.  I've been planning on converting them to HDD based installs anyways, so I'll hold off on suricata until then.

                                Thanks!

                                It should work fine on a conventional HDD (or SSD) installation.  Unfortunately, I don't have a CF system to test with.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • G
                                  Gibbon_99
                                  last edited by

                                  Hi

                                  My logs are full of this message when starting Suricata

                                  
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                  Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error> 
                                  
                                  
                                  Version
                                  
                                  2.1.2-RELEASE (amd64)
                                  built on Thu Apr 10 05:42:13 EDT 2014
                                  FreeBSD 8.3-RELEASE-p15
                                  
                                  You are on the latest version.
                                  
                                  

                                  Any pointers?

                                  Thanks

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    @Gibbon_99:

                                    Hi

                                    My logs are full of this message when starting Suricata

                                    
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                    Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error> 
                                    
                                    
                                    Version
                                    
                                    2.1.2-RELEASE (amd64)
                                    built on Thu Apr 10 05:42:13 EDT 2014
                                    FreeBSD 8.3-RELEASE-p15
                                    
                                    You are on the latest version.
                                    
                                    

                                    Any pointers?

                                    Thanks

                                    Have not seen that error before.  This essentially means the protocol on the interface is not supported by Suricata.  Let me first ask you to try the old standard technique of removing Suricata and reinstalling.  Before doing this, go to the GLOBAL SETTINGS tab and check the box near the bottom of the page to retain Suricata settings when deinstalling.  Save that change and then remove the package under System…Packages from the pfSense menu.  When removal is complete, install it again.

                                    Please report back on the result.  Also, can you post what the interfaces are you are using Suricata on?  By that I mean vanilla Ethernet, or maybe something like PPP or some kind of tunneling interface?

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Supermule Banned
                                      last edited by

                                      Remember to reboot after deinstall….before you install it again!

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        Gibbon_99
                                        last edited by

                                        @bmeeks:

                                        Have not seen that error before.  This essentially means the protocol on the interface is not supported by Suricata.  Let me first ask you to try the old standard technique of removing Suricata and reinstalling.  Before doing this, go to the GLOBAL SETTINGS tab and check the box near the bottom of the page to retain Suricata settings when deinstalling.  Save that change and then remove the package under System…Packages from the pfSense menu.  When removal is complete, install it again.

                                        Please report back on the result.  Also, can you post what the interfaces are you are using Suricata on?  By that I mean vanilla Ethernet, or maybe something like PPP or some kind of tunneling interface?

                                        Bill

                                        Remove and reinstall done - no change - still get the error when using the WAN interface.

                                        I have created a LAN interface mapping, and it works just fine.

                                        The WAN mapping is a PPPOE interface - looks like that type is not yet supported.

                                        Here is the log for the working LAN interface ( type em0 ):

                                        
                                        18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
                                        18/4/2014 -- 12:42:24 - <info>-- preallocated 65535 defrag trackers of size 120
                                        18/4/2014 -- 12:42:24 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
                                        18/4/2014 -- 12:42:24 - <info>-- AutoFP mode using "Active Packets" flow load balancer
                                        18/4/2014 -- 12:42:24 - <info>-- preallocated 1024 packets. Total memory 4294656
                                        18/4/2014 -- 12:42:24 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
                                        18/4/2014 -- 12:42:24 - <info>-- preallocated 1000 hosts of size 96
                                        18/4/2014 -- 12:42:24 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
                                        18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
                                        18/4/2014 -- 12:42:24 - <info>-- preallocated 10000 flows of size 224
                                        18/4/2014 -- 12:42:24 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
                                        18/4/2014 -- 12:42:24 - <info>-- IP reputation disabled
                                        18/4/2014 -- 12:42:24 - <info>-- Added "35" classification types from the classification file
                                        18/4/2014 -- 12:42:24 - <info>-- Added "19" reference types from the reference.config file
                                        18/4/2014 -- 12:42:24 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/magic
                                        18/4/2014 -- 12:42:24 - <info>-- Delayed detect enabled
                                        18/4/2014 -- 12:42:24 - <info>-- Packets will start being processed before signatures are active.
                                        18/4/2014 -- 12:42:24 - <info>-- Threshold config parsed: 1 rule(s) found
                                        18/4/2014 -- 12:42:24 - <info>-- Core dump size is unlimited.
                                        18/4/2014 -- 12:42:24 - <info>-- fast output device (regular) initialized: alerts.log
                                        18/4/2014 -- 12:42:24 - <info>-- Unified2-alert initialized: filename unified2.alert, limit 32 MB
                                        18/4/2014 -- 12:42:24 - <info>-- http-log output device (regular) initialized: http.log
                                        18/4/2014 -- 12:42:24 - <info>-- Syslog output initialized
                                        18/4/2014 -- 12:42:24 - <info>-- Using 1 live device(s).
                                        18/4/2014 -- 12:42:24 - <info>-- using interface em0
                                        18/4/2014 -- 12:42:24 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
                                        18/4/2014 -- 12:42:24 - <info>-- Found an MTU of 1500 for 'em0'
                                        18/4/2014 -- 12:42:24 - <info>-- Set snaplen to 1500 for 'em0'
                                        18/4/2014 -- 12:42:24 - <info>-- RunModeIdsPcapAutoFp initialised
                                        18/4/2014 -- 12:42:24 - <info>-- stream "max-sessions": 262144
                                        18/4/2014 -- 12:42:24 - <info>-- stream "prealloc-sessions": 32768
                                        18/4/2014 -- 12:42:24 - <info>-- stream "memcap": 33554432
                                        18/4/2014 -- 12:42:24 - <info>-- stream "midstream" session pickups: disabled
                                        18/4/2014 -- 12:42:24 - <info>-- stream "async-oneside": disabled
                                        18/4/2014 -- 12:42:24 - <info>-- stream "checksum-validation": disabled
                                        18/4/2014 -- 12:42:24 - <info>-- stream."inline": disabled
                                        18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "memcap": 67108864
                                        18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "depth": 0
                                        18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toserver-chunk-size": 2560
                                        18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toclient-chunk-size": 2560
                                        18/4/2014 -- 12:42:24 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 59
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 94
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 129
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 189
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 291
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 292
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 298
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 416
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                        18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 421
                                        18/4/2014 -- 12:42:28 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used
                                        18/4/2014 -- 12:42:35 - <info>-- 2 rule files processed. 15090 rules successfully loaded, 9 rules failed</info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
                                        

                                        Here's the log for the not working WAN interface ( type PPPOE )

                                        
                                        18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
                                        18/4/2014 -- 12:46:39 - <info>-- preallocated 65535 defrag trackers of size 120
                                        18/4/2014 -- 12:46:39 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
                                        18/4/2014 -- 12:46:39 - <info>-- AutoFP mode using "Active Packets" flow load balancer
                                        18/4/2014 -- 12:46:39 - <info>-- preallocated 1024 packets. Total memory 4294656
                                        18/4/2014 -- 12:46:39 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
                                        18/4/2014 -- 12:46:39 - <info>-- preallocated 1000 hosts of size 96
                                        18/4/2014 -- 12:46:39 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
                                        18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
                                        18/4/2014 -- 12:46:39 - <info>-- preallocated 10000 flows of size 224
                                        18/4/2014 -- 12:46:39 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
                                        18/4/2014 -- 12:46:39 - <info>-- IP reputation disabled
                                        18/4/2014 -- 12:46:39 - <info>-- Added "35" classification types from the classification file
                                        18/4/2014 -- 12:46:39 - <info>-- Added "19" reference types from the reference.config file
                                        18/4/2014 -- 12:46:39 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_51110_pppoe0/magic
                                        18/4/2014 -- 12:46:39 - <info>-- Delayed detect enabled
                                        18/4/2014 -- 12:46:39 - <info>-- Packets will start being processed before signatures are active.
                                        18/4/2014 -- 12:46:39 - <info>-- Threshold config parsed: 0 rule(s) found
                                        18/4/2014 -- 12:46:39 - <info>-- Core dump size is unlimited.
                                        18/4/2014 -- 12:46:39 - <info>-- fast output device (regular) initialized: alerts.log
                                        18/4/2014 -- 12:46:39 - <info>-- http-log output device (regular) initialized: http.log
                                        18/4/2014 -- 12:46:39 - <info>-- Syslog output initialized
                                        18/4/2014 -- 12:46:39 - <info>-- Using 1 live device(s).
                                        18/4/2014 -- 12:46:39 - <info>-- using interface pppoe0
                                        18/4/2014 -- 12:46:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
                                        18/4/2014 -- 12:46:39 - <info>-- Found an MTU of 1492 for 'pppoe0'
                                        18/4/2014 -- 12:46:39 - <info>-- Set snaplen to 1492 for 'pppoe0'
                                        18/4/2014 -- 12:46:39 - <info>-- RunModeIdsPcapAutoFp initialised
                                        18/4/2014 -- 12:46:39 - <info>-- stream "max-sessions": 262144
                                        18/4/2014 -- 12:46:39 - <info>-- stream "prealloc-sessions": 32768
                                        18/4/2014 -- 12:46:39 - <info>-- stream "memcap": 33554432
                                        18/4/2014 -- 12:46:39 - <info>-- stream "midstream" session pickups: disabled
                                        18/4/2014 -- 12:46:39 - <info>-- stream "async-oneside": disabled
                                        18/4/2014 -- 12:46:39 - <info>-- stream "checksum-validation": disabled
                                        18/4/2014 -- 12:46:39 - <info>-- stream."inline": disabled
                                        18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "memcap": 67108864
                                        18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "depth": 0
                                        18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
                                        18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
                                        18/4/2014 -- 12:46:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
                                        18/4/2014 -- 12:46:39 - <info>-- 1 rule files processed. 163 rules successfully loaded, 0 rules failed
                                        18/4/2014 -- 12:46:39 - <info>-- 163 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 35 inspect application layer, 76 are decoder event only
                                        18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
                                        18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 2: building source address list... complete
                                        18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
                                        18/4/2014 -- 12:46:39 - <info>-- Signature(s) loaded, Detect thread(s) activated.
                                        18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                        18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                        18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                        ( lots of repeats snipped )</error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by

                                          @Gibbon_99:

                                          Remove and reinstall done - no change - still get the error when using the WAN interface.

                                          I have created a LAN interface mapping, and it works just fine.

                                          The WAN mapping is a PPPOE interface - looks like that type is not yet supported.

                                          Here is the log for the working LAN interface ( type em0 ):

                                          
                                          18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
                                          18/4/2014 -- 12:42:24 - <info>-- preallocated 65535 defrag trackers of size 120
                                          18/4/2014 -- 12:42:24 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
                                          18/4/2014 -- 12:42:24 - <info>-- AutoFP mode using "Active Packets" flow load balancer
                                          18/4/2014 -- 12:42:24 - <info>-- preallocated 1024 packets. Total memory 4294656
                                          18/4/2014 -- 12:42:24 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
                                          18/4/2014 -- 12:42:24 - <info>-- preallocated 1000 hosts of size 96
                                          18/4/2014 -- 12:42:24 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
                                          18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
                                          18/4/2014 -- 12:42:24 - <info>-- preallocated 10000 flows of size 224
                                          18/4/2014 -- 12:42:24 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
                                          18/4/2014 -- 12:42:24 - <info>-- IP reputation disabled
                                          18/4/2014 -- 12:42:24 - <info>-- Added "35" classification types from the classification file
                                          18/4/2014 -- 12:42:24 - <info>-- Added "19" reference types from the reference.config file
                                          18/4/2014 -- 12:42:24 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/magic
                                          18/4/2014 -- 12:42:24 - <info>-- Delayed detect enabled
                                          18/4/2014 -- 12:42:24 - <info>-- Packets will start being processed before signatures are active.
                                          18/4/2014 -- 12:42:24 - <info>-- Threshold config parsed: 1 rule(s) found
                                          18/4/2014 -- 12:42:24 - <info>-- Core dump size is unlimited.
                                          18/4/2014 -- 12:42:24 - <info>-- fast output device (regular) initialized: alerts.log
                                          18/4/2014 -- 12:42:24 - <info>-- Unified2-alert initialized: filename unified2.alert, limit 32 MB
                                          18/4/2014 -- 12:42:24 - <info>-- http-log output device (regular) initialized: http.log
                                          18/4/2014 -- 12:42:24 - <info>-- Syslog output initialized
                                          18/4/2014 -- 12:42:24 - <info>-- Using 1 live device(s).
                                          18/4/2014 -- 12:42:24 - <info>-- using interface em0
                                          18/4/2014 -- 12:42:24 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
                                          18/4/2014 -- 12:42:24 - <info>-- Found an MTU of 1500 for 'em0'
                                          18/4/2014 -- 12:42:24 - <info>-- Set snaplen to 1500 for 'em0'
                                          18/4/2014 -- 12:42:24 - <info>-- RunModeIdsPcapAutoFp initialised
                                          18/4/2014 -- 12:42:24 - <info>-- stream "max-sessions": 262144
                                          18/4/2014 -- 12:42:24 - <info>-- stream "prealloc-sessions": 32768
                                          18/4/2014 -- 12:42:24 - <info>-- stream "memcap": 33554432
                                          18/4/2014 -- 12:42:24 - <info>-- stream "midstream" session pickups: disabled
                                          18/4/2014 -- 12:42:24 - <info>-- stream "async-oneside": disabled
                                          18/4/2014 -- 12:42:24 - <info>-- stream "checksum-validation": disabled
                                          18/4/2014 -- 12:42:24 - <info>-- stream."inline": disabled
                                          18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "memcap": 67108864
                                          18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "depth": 0
                                          18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toserver-chunk-size": 2560
                                          18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toclient-chunk-size": 2560
                                          18/4/2014 -- 12:42:24 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 59
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 94
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 129
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 189
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 291
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 292
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 298
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 416
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
                                          18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 421
                                          18/4/2014 -- 12:42:28 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used
                                          18/4/2014 -- 12:42:35 - <info>-- 2 rule files processed. 15090 rules successfully loaded, 9 rules failed</info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
                                          

                                          Here's the log for the not working WAN interface ( type PPPOE )

                                          
                                          18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
                                          18/4/2014 -- 12:46:39 - <info>-- preallocated 65535 defrag trackers of size 120
                                          18/4/2014 -- 12:46:39 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
                                          18/4/2014 -- 12:46:39 - <info>-- AutoFP mode using "Active Packets" flow load balancer
                                          18/4/2014 -- 12:46:39 - <info>-- preallocated 1024 packets. Total memory 4294656
                                          18/4/2014 -- 12:46:39 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
                                          18/4/2014 -- 12:46:39 - <info>-- preallocated 1000 hosts of size 96
                                          18/4/2014 -- 12:46:39 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
                                          18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
                                          18/4/2014 -- 12:46:39 - <info>-- preallocated 10000 flows of size 224
                                          18/4/2014 -- 12:46:39 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
                                          18/4/2014 -- 12:46:39 - <info>-- IP reputation disabled
                                          18/4/2014 -- 12:46:39 - <info>-- Added "35" classification types from the classification file
                                          18/4/2014 -- 12:46:39 - <info>-- Added "19" reference types from the reference.config file
                                          18/4/2014 -- 12:46:39 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_51110_pppoe0/magic
                                          18/4/2014 -- 12:46:39 - <info>-- Delayed detect enabled
                                          18/4/2014 -- 12:46:39 - <info>-- Packets will start being processed before signatures are active.
                                          18/4/2014 -- 12:46:39 - <info>-- Threshold config parsed: 0 rule(s) found
                                          18/4/2014 -- 12:46:39 - <info>-- Core dump size is unlimited.
                                          18/4/2014 -- 12:46:39 - <info>-- fast output device (regular) initialized: alerts.log
                                          18/4/2014 -- 12:46:39 - <info>-- http-log output device (regular) initialized: http.log
                                          18/4/2014 -- 12:46:39 - <info>-- Syslog output initialized
                                          18/4/2014 -- 12:46:39 - <info>-- Using 1 live device(s).
                                          18/4/2014 -- 12:46:39 - <info>-- using interface pppoe0
                                          18/4/2014 -- 12:46:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
                                          18/4/2014 -- 12:46:39 - <info>-- Found an MTU of 1492 for 'pppoe0'
                                          18/4/2014 -- 12:46:39 - <info>-- Set snaplen to 1492 for 'pppoe0'
                                          18/4/2014 -- 12:46:39 - <info>-- RunModeIdsPcapAutoFp initialised
                                          18/4/2014 -- 12:46:39 - <info>-- stream "max-sessions": 262144
                                          18/4/2014 -- 12:46:39 - <info>-- stream "prealloc-sessions": 32768
                                          18/4/2014 -- 12:46:39 - <info>-- stream "memcap": 33554432
                                          18/4/2014 -- 12:46:39 - <info>-- stream "midstream" session pickups: disabled
                                          18/4/2014 -- 12:46:39 - <info>-- stream "async-oneside": disabled
                                          18/4/2014 -- 12:46:39 - <info>-- stream "checksum-validation": disabled
                                          18/4/2014 -- 12:46:39 - <info>-- stream."inline": disabled
                                          18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "memcap": 67108864
                                          18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "depth": 0
                                          18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
                                          18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
                                          18/4/2014 -- 12:46:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
                                          18/4/2014 -- 12:46:39 - <info>-- 1 rule files processed. 163 rules successfully loaded, 0 rules failed
                                          18/4/2014 -- 12:46:39 - <info>-- 163 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 35 inspect application layer, 76 are decoder event only
                                          18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
                                          18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 2: building source address list... complete
                                          18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
                                          18/4/2014 -- 12:46:39 - <info>-- Signature(s) loaded, Detect thread(s) activated.
                                          18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                          18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                          18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
                                          ( lots of repeats snipped )</error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
                                          

                                          Yep, that is the problem – PPPoE does not appear to be supported by the underlying Suricata binary.  I will research to see if there is anything I might could do to address this.  I seem to remember some folks using Snort just fine on a PPPoE interface, and Snort and Suricata both are using the same libpcap library on pfSense.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • BBcan177B
                                            BBcan177 Moderator
                                            last edited by

                                            @bmeeks:

                                            Yep, that is the problem – PPPoE does not appear to be supported by the underlying Suricata binary.  I will research to see if there is anything I might could do to address this.  I seem to remember some folks using Snort just fine on a PPPoE interface, and Snort and Suricata both are using the same libpcap library on pfSense.

                                            I have one of my pfSense boxes on ppoe with Snort for over a year without any issue like this. Just an FYI.

                                            "Experience is something you don't get until just after you need it."

                                            Website: http://pfBlockerNG.com
                                            Twitter: @BBcan177  #pfBlockerNG
                                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.