Suricata IDS 1.4.6 BETA package update v0.3 released

bmeeks

Suricata 1.4.6 pkg. v0.3-BETA Update Released

An update to the Suricata package for pfSense has been released.  This is a GUI package update only.  Two significant bug fixes and one new feature are in this update.

New Feature
A LOGS MGMT tab is added to the top-level tab menu to provide a means for specifying log size limits and log rotation intervals for the Suricata logs that do not have this capability native within Suricata. You can now specify a size limit after which a log file will be automatically rotated. You can also specify a retention period controlling how long rotated files remain on disk before being automatically deleted. This new capability is available for the following logs: alerts.log, files-json.log, http.log, stats.log, and tls.log. These particular files can become quite large on a busy network and then are difficult to view within the built-in Logs Browser.  Attached at the bottom of this post is a screenshot of the new LOGS MGMT tab.

Please note that for now the logs are managed by a cron job that executes every 5 minutes.  That means that on a super busy network (or if you have the stats log updating on a very short interval), some of the files may grow a little beyond the limit set on the LOGS MGMT tab before being rotated.  This happens because the size is only checked every 5 minutes.  This gives some logs time to grow in between checks.  Eventually I hope to roll the log limits into the binary itself so that it rotates the logs and the GUI package does not have to do it via cron.

Bug Fixes
1.  A disabled Suricata interface would become enabled again upon a reboot of the firewall.

2.  Multiple instances of Barnyard2 may be started on reboots or when all packages are restarted by the firewall.

3.  IPv6 display issues in the Suricata Dashboard widget caused text to overrun the right margin.

4.  Disabling a Suricata interface resulted in a bogus validation error when trying to save the change.

Bill

priller

Overall that's a great implementation for log file rotation.  Thanks!

What is the timestamp based on?  Not possible/practical to make it a more 'human recognizable' YYYYMMDD…  value?  Would just make it easier to identify the file with the time frame you are looking for.

bmeeks

@priller:

Overall that's a great implementation for log file rotation.  Thanks!

What is the timestamp based on?  Not possible/practical to make it a more 'human recognizable' YYYYMMDD…  value?  Would just make it easier to identify the file with the time frame you are looking for.

The timestamp is the vanilla UNIX timestamp (the number of seconds that have elapsed since midnight January 1, 1970).  I used that format because that's what Suricata does for the other logs it does rotate on its own.  I figured consistency with the other logs would be the best way to do it.

Bill

DiskWizard

First, I'd like to apologize if my comment is incorrect. I am not the native english speaker.  The tabs "Check" and "Force" have the "opposite" meanings for me. If you want to just "Check" the program shouldn't download anything, just notify me.

DiskWizard

?! Erm, maybe it is considered to be Update&Upgrade meaning updating the rules and upgrading the software accordingly ?!

bmeeks

@DiskWizard:

?! Erm, maybe it is considered to be Update&Upgrade meaning updating the rules and upgrading the software accordingly ?!

The two buttons were intended to work this way.  Your comment about "checking" versus "updating" is valid, though.

The original behavior was to download the MD5 hash from the publisher's web site and compare the hash to the locally stored hash for the current rules package.  If the hash codes matched, nothing else was done.  If they did not match, new rules would be downloaded and applied to all running Snort processes (according to the specific rules enabled for each process).  There were occasions when a "bad" rules package would be downloaded but the MD5 hash file was OK.  In this situation, in order to get a fresh uncorrupted rules package, a manual edit of the MD5 hash file was required to "force" a mismatch in hash values so a new package would download.  This is what the new FORCE button does.  It downloads a fresh rules package without testing the MD5 hash first.

Bill

ScottCall

Is there a trick to getting Suricata to start?  (Do I need to reboot, for example?)

The documentation doesn't make this clear and I'm currently unable to start Suricata by clicking on the red "X" icon, I get this in the logs:
Apr 14 18:07:38 pf1 php: /suricata/suricata_interfaces.php: Toggle (suricata starting) for XXX(Xxx Internet)…
Apr 14 18:07:42 pf1 php: /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: XXX …
Apr 14 18:07:45 pf1 php: /suricata/suricata_interfaces.php: [Suricata] Building new sig-msg.map file for XXX…
Apr 14 18:07:49 pf1 php: /suricata/suricata_interfaces.php: [Suricata] Suricata START for XXX Internet(igb6)…

but then it returns to the config screen with the red X still present and no suricata processes running.

I'm running 2.1-RELEASE on 4GB Nano.

Please Advise

BBcan177

Did you perform a Rules Update? If not, that needs to be done first before it will start.

ScottCall

@BBcan17:

Did you perform a Rules Update? If not, that needs to be done first before it will start.

Yeah before I configured the interfaces and tried to start.

Thanks

bmeeks

@ScottCall:

@BBcan17:

Did you perform a Rules Update? If not, that needs to be done first before it will start.

Yeah before I configured the interfaces and tried to start.

Thanks

Goto the LOGS MGMT tab and open the suricata.log by selecting it in the drop-down selector to view the contents.  See what errors are in there.  Suricata logs it's stuff to its own private log file.  Report back if you see something in there.

Bill

ScottCall

@bmeeks:

Goto the LOGS MGMT tab and open the suricata.log by selecting it in the drop-down selector to view the contents.  See what errors are in there.  Suricata logs it's stuff to its own private log file.  Report back if you see something in there.

Bill

Thanks Bill.

I checked under the "Logs Browser" and none of the logs exist, they all return "Log file does not exist or that logging feature is not enabled."

I'm using ETOpen, Snort VRT (free registered) and Snort GPLv2.

I'll schedule some time to reboot the firewall to see if that's what it needs.

Thanks
-S

bmeeks

@ScottCall:

@bmeeks:

Goto the LOGS MGMT tab and open the suricata.log by selecting it in the drop-down selector to view the contents.  See what errors are in there.  Suricata logs it's stuff to its own private log file.  Report back if you see something in there.

Bill

Thanks Bill.

I checked under the "Logs Browser" and none of the logs exist, they all return "Log file does not exist or that logging feature is not enabled."

I'm using ETOpen, Snort VRT (free registered) and Snort GPLv2.

I'll schedule some time to reboot the firewall to see if that's what it needs.

Thanks
-S

Whoa!  That's certainly not right.  The suricata.log file should always exist as it is created with any attempted start of Suricata.  Something is seriously borked with the Suricata install is my suspicion.  A reboot and possible reinstall of Suricata would be a good start.

EDIT UPDATE: just re-read your original post and noticed the NanoBSD mention.  I overlooked that previously. That could be the problem.  There may be some problems with Suricata forgetting to put the file system in R/W mode before it writes configuration information.  I did all my development and testing on regular installs with hard disks (well, virtual hard disks in VMs).  I have not tested Suricata on something like NanoBSD.  You also may not have enough RAM to run Suricata and pfSense.  You said 4 GB, so I assume that is total CF capacity.  The OS is going to take a bit, and then Suricata gets what's left over.  That is not going to be much.

Bill

ScottCall

I did the nano install to try pfSense over the existing (commercial, expensive and outdated) install on the boxes.  I've been planning on converting them to HDD based installs anyways, so I'll hold off on suricata until then.

Thanks!

bmeeks

@ScottCall:

I did the nano install to try pfSense over the existing (commercial, expensive and outdated) install on the boxes.  I've been planning on converting them to HDD based installs anyways, so I'll hold off on suricata until then.

Thanks!

It should work fine on a conventional HDD (or SSD) installation.  Unfortunately, I don't have a CF system to test with.

Bill

Gibbon_99

Hi

My logs are full of this message when starting Suricata

Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error> 

Version

2.1.2-RELEASE (amd64)
built on Thu Apr 10 05:42:13 EDT 2014
FreeBSD 8.3-RELEASE-p15

You are on the latest version.

Any pointers?

Thanks

bmeeks

@Gibbon_99:

Hi

My logs are full of this message when starting Suricata

Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Apr 17 17:50:44 	suricata[24023]: 17/4/2014 -- 17:50:44 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error> 

Version

2.1.2-RELEASE (amd64)
built on Thu Apr 10 05:42:13 EDT 2014
FreeBSD 8.3-RELEASE-p15

You are on the latest version.

Any pointers?

Thanks

Have not seen that error before.  This essentially means the protocol on the interface is not supported by Suricata.  Let me first ask you to try the old standard technique of removing Suricata and reinstalling.  Before doing this, go to the GLOBAL SETTINGS tab and check the box near the bottom of the page to retain Suricata settings when deinstalling.  Save that change and then remove the package under System…Packages from the pfSense menu.  When removal is complete, install it again.

Please report back on the result.  Also, can you post what the interfaces are you are using Suricata on?  By that I mean vanilla Ethernet, or maybe something like PPP or some kind of tunneling interface?

Bill

Supermule

Remember to reboot after deinstall….before you install it again!

Gibbon_99

@bmeeks:

Have not seen that error before.  This essentially means the protocol on the interface is not supported by Suricata.  Let me first ask you to try the old standard technique of removing Suricata and reinstalling.  Before doing this, go to the GLOBAL SETTINGS tab and check the box near the bottom of the page to retain Suricata settings when deinstalling.  Save that change and then remove the package under System…Packages from the pfSense menu.  When removal is complete, install it again.

Please report back on the result.  Also, can you post what the interfaces are you are using Suricata on?  By that I mean vanilla Ethernet, or maybe something like PPP or some kind of tunneling interface?

Bill

Remove and reinstall done - no change - still get the error when using the WAN interface.

I have created a LAN interface mapping, and it works just fine.

The WAN mapping is a PPPOE interface - looks like that type is not yet supported.

Here is the log for the working LAN interface ( type em0 ):

18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
18/4/2014 -- 12:42:24 - <info>-- preallocated 65535 defrag trackers of size 120
18/4/2014 -- 12:42:24 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
18/4/2014 -- 12:42:24 - <info>-- AutoFP mode using "Active Packets" flow load balancer
18/4/2014 -- 12:42:24 - <info>-- preallocated 1024 packets. Total memory 4294656
18/4/2014 -- 12:42:24 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
18/4/2014 -- 12:42:24 - <info>-- preallocated 1000 hosts of size 96
18/4/2014 -- 12:42:24 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
18/4/2014 -- 12:42:24 - <info>-- preallocated 10000 flows of size 224
18/4/2014 -- 12:42:24 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
18/4/2014 -- 12:42:24 - <info>-- IP reputation disabled
18/4/2014 -- 12:42:24 - <info>-- Added "35" classification types from the classification file
18/4/2014 -- 12:42:24 - <info>-- Added "19" reference types from the reference.config file
18/4/2014 -- 12:42:24 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/magic
18/4/2014 -- 12:42:24 - <info>-- Delayed detect enabled
18/4/2014 -- 12:42:24 - <info>-- Packets will start being processed before signatures are active.
18/4/2014 -- 12:42:24 - <info>-- Threshold config parsed: 1 rule(s) found
18/4/2014 -- 12:42:24 - <info>-- Core dump size is unlimited.
18/4/2014 -- 12:42:24 - <info>-- fast output device (regular) initialized: alerts.log
18/4/2014 -- 12:42:24 - <info>-- Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/4/2014 -- 12:42:24 - <info>-- http-log output device (regular) initialized: http.log
18/4/2014 -- 12:42:24 - <info>-- Syslog output initialized
18/4/2014 -- 12:42:24 - <info>-- Using 1 live device(s).
18/4/2014 -- 12:42:24 - <info>-- using interface em0
18/4/2014 -- 12:42:24 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
18/4/2014 -- 12:42:24 - <info>-- Found an MTU of 1500 for 'em0'
18/4/2014 -- 12:42:24 - <info>-- Set snaplen to 1500 for 'em0'
18/4/2014 -- 12:42:24 - <info>-- RunModeIdsPcapAutoFp initialised
18/4/2014 -- 12:42:24 - <info>-- stream "max-sessions": 262144
18/4/2014 -- 12:42:24 - <info>-- stream "prealloc-sessions": 32768
18/4/2014 -- 12:42:24 - <info>-- stream "memcap": 33554432
18/4/2014 -- 12:42:24 - <info>-- stream "midstream" session pickups: disabled
18/4/2014 -- 12:42:24 - <info>-- stream "async-oneside": disabled
18/4/2014 -- 12:42:24 - <info>-- stream "checksum-validation": disabled
18/4/2014 -- 12:42:24 - <info>-- stream."inline": disabled
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "memcap": 67108864
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "depth": 0
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toserver-chunk-size": 2560
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toclient-chunk-size": 2560
18/4/2014 -- 12:42:24 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 59
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 94
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 129
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 189
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 291
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 292
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 298
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 416
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 421
18/4/2014 -- 12:42:28 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used
18/4/2014 -- 12:42:35 - <info>-- 2 rule files processed. 15090 rules successfully loaded, 9 rules failed</info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

Here's the log for the not working WAN interface ( type PPPOE )

18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
18/4/2014 -- 12:46:39 - <info>-- preallocated 65535 defrag trackers of size 120
18/4/2014 -- 12:46:39 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
18/4/2014 -- 12:46:39 - <info>-- AutoFP mode using "Active Packets" flow load balancer
18/4/2014 -- 12:46:39 - <info>-- preallocated 1024 packets. Total memory 4294656
18/4/2014 -- 12:46:39 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
18/4/2014 -- 12:46:39 - <info>-- preallocated 1000 hosts of size 96
18/4/2014 -- 12:46:39 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
18/4/2014 -- 12:46:39 - <info>-- preallocated 10000 flows of size 224
18/4/2014 -- 12:46:39 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
18/4/2014 -- 12:46:39 - <info>-- IP reputation disabled
18/4/2014 -- 12:46:39 - <info>-- Added "35" classification types from the classification file
18/4/2014 -- 12:46:39 - <info>-- Added "19" reference types from the reference.config file
18/4/2014 -- 12:46:39 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_51110_pppoe0/magic
18/4/2014 -- 12:46:39 - <info>-- Delayed detect enabled
18/4/2014 -- 12:46:39 - <info>-- Packets will start being processed before signatures are active.
18/4/2014 -- 12:46:39 - <info>-- Threshold config parsed: 0 rule(s) found
18/4/2014 -- 12:46:39 - <info>-- Core dump size is unlimited.
18/4/2014 -- 12:46:39 - <info>-- fast output device (regular) initialized: alerts.log
18/4/2014 -- 12:46:39 - <info>-- http-log output device (regular) initialized: http.log
18/4/2014 -- 12:46:39 - <info>-- Syslog output initialized
18/4/2014 -- 12:46:39 - <info>-- Using 1 live device(s).
18/4/2014 -- 12:46:39 - <info>-- using interface pppoe0
18/4/2014 -- 12:46:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
18/4/2014 -- 12:46:39 - <info>-- Found an MTU of 1492 for 'pppoe0'
18/4/2014 -- 12:46:39 - <info>-- Set snaplen to 1492 for 'pppoe0'
18/4/2014 -- 12:46:39 - <info>-- RunModeIdsPcapAutoFp initialised
18/4/2014 -- 12:46:39 - <info>-- stream "max-sessions": 262144
18/4/2014 -- 12:46:39 - <info>-- stream "prealloc-sessions": 32768
18/4/2014 -- 12:46:39 - <info>-- stream "memcap": 33554432
18/4/2014 -- 12:46:39 - <info>-- stream "midstream" session pickups: disabled
18/4/2014 -- 12:46:39 - <info>-- stream "async-oneside": disabled
18/4/2014 -- 12:46:39 - <info>-- stream "checksum-validation": disabled
18/4/2014 -- 12:46:39 - <info>-- stream."inline": disabled
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "memcap": 67108864
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "depth": 0
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
18/4/2014 -- 12:46:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
18/4/2014 -- 12:46:39 - <info>-- 1 rule files processed. 163 rules successfully loaded, 0 rules failed
18/4/2014 -- 12:46:39 - <info>-- 163 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 35 inspect application layer, 76 are decoder event only
18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 2: building source address list... complete
18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
18/4/2014 -- 12:46:39 - <info>-- Signature(s) loaded, Detect thread(s) activated.
18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
( lots of repeats snipped )</error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

bmeeks

@Gibbon_99:

Remove and reinstall done - no change - still get the error when using the WAN interface.

I have created a LAN interface mapping, and it works just fine.

The WAN mapping is a PPPOE interface - looks like that type is not yet supported.

Here is the log for the working LAN interface ( type em0 ):

18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
18/4/2014 -- 12:42:24 - <info>-- preallocated 65535 defrag trackers of size 120
18/4/2014 -- 12:42:24 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
18/4/2014 -- 12:42:24 - <info>-- AutoFP mode using "Active Packets" flow load balancer
18/4/2014 -- 12:42:24 - <info>-- preallocated 1024 packets. Total memory 4294656
18/4/2014 -- 12:42:24 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
18/4/2014 -- 12:42:24 - <info>-- preallocated 1000 hosts of size 96
18/4/2014 -- 12:42:24 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
18/4/2014 -- 12:42:24 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
18/4/2014 -- 12:42:24 - <info>-- preallocated 10000 flows of size 224
18/4/2014 -- 12:42:24 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
18/4/2014 -- 12:42:24 - <info>-- IP reputation disabled
18/4/2014 -- 12:42:24 - <info>-- Added "35" classification types from the classification file
18/4/2014 -- 12:42:24 - <info>-- Added "19" reference types from the reference.config file
18/4/2014 -- 12:42:24 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/magic
18/4/2014 -- 12:42:24 - <info>-- Delayed detect enabled
18/4/2014 -- 12:42:24 - <info>-- Packets will start being processed before signatures are active.
18/4/2014 -- 12:42:24 - <info>-- Threshold config parsed: 1 rule(s) found
18/4/2014 -- 12:42:24 - <info>-- Core dump size is unlimited.
18/4/2014 -- 12:42:24 - <info>-- fast output device (regular) initialized: alerts.log
18/4/2014 -- 12:42:24 - <info>-- Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/4/2014 -- 12:42:24 - <info>-- http-log output device (regular) initialized: http.log
18/4/2014 -- 12:42:24 - <info>-- Syslog output initialized
18/4/2014 -- 12:42:24 - <info>-- Using 1 live device(s).
18/4/2014 -- 12:42:24 - <info>-- using interface em0
18/4/2014 -- 12:42:24 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
18/4/2014 -- 12:42:24 - <info>-- Found an MTU of 1500 for 'em0'
18/4/2014 -- 12:42:24 - <info>-- Set snaplen to 1500 for 'em0'
18/4/2014 -- 12:42:24 - <info>-- RunModeIdsPcapAutoFp initialised
18/4/2014 -- 12:42:24 - <info>-- stream "max-sessions": 262144
18/4/2014 -- 12:42:24 - <info>-- stream "prealloc-sessions": 32768
18/4/2014 -- 12:42:24 - <info>-- stream "memcap": 33554432
18/4/2014 -- 12:42:24 - <info>-- stream "midstream" session pickups: disabled
18/4/2014 -- 12:42:24 - <info>-- stream "async-oneside": disabled
18/4/2014 -- 12:42:24 - <info>-- stream "checksum-validation": disabled
18/4/2014 -- 12:42:24 - <info>-- stream."inline": disabled
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "memcap": 67108864
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "depth": 0
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toserver-chunk-size": 2560
18/4/2014 -- 12:42:24 - <info>-- stream.reassembly "toclient-chunk-size": 2560
18/4/2014 -- 12:42:24 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 59
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 94
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 129
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 189
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 291
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 292
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 298
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 416
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/4/2014 -- 12:42:24 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_12618_em0/rules/suricata.rules at line 421
18/4/2014 -- 12:42:28 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used
18/4/2014 -- 12:42:35 - <info>-- 2 rule files processed. 15090 rules successfully loaded, 9 rules failed</info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

Here's the log for the not working WAN interface ( type PPPOE )

18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
18/4/2014 -- 12:46:39 - <info>-- preallocated 65535 defrag trackers of size 120
18/4/2014 -- 12:46:39 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
18/4/2014 -- 12:46:39 - <info>-- AutoFP mode using "Active Packets" flow load balancer
18/4/2014 -- 12:46:39 - <info>-- preallocated 1024 packets. Total memory 4294656
18/4/2014 -- 12:46:39 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
18/4/2014 -- 12:46:39 - <info>-- preallocated 1000 hosts of size 96
18/4/2014 -- 12:46:39 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
18/4/2014 -- 12:46:39 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
18/4/2014 -- 12:46:39 - <info>-- preallocated 10000 flows of size 224
18/4/2014 -- 12:46:39 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
18/4/2014 -- 12:46:39 - <info>-- IP reputation disabled
18/4/2014 -- 12:46:39 - <info>-- Added "35" classification types from the classification file
18/4/2014 -- 12:46:39 - <info>-- Added "19" reference types from the reference.config file
18/4/2014 -- 12:46:39 - <info>-- using magic-file /usr/pbi/suricata-amd64/etc/suricata/suricata_51110_pppoe0/magic
18/4/2014 -- 12:46:39 - <info>-- Delayed detect enabled
18/4/2014 -- 12:46:39 - <info>-- Packets will start being processed before signatures are active.
18/4/2014 -- 12:46:39 - <info>-- Threshold config parsed: 0 rule(s) found
18/4/2014 -- 12:46:39 - <info>-- Core dump size is unlimited.
18/4/2014 -- 12:46:39 - <info>-- fast output device (regular) initialized: alerts.log
18/4/2014 -- 12:46:39 - <info>-- http-log output device (regular) initialized: http.log
18/4/2014 -- 12:46:39 - <info>-- Syslog output initialized
18/4/2014 -- 12:46:39 - <info>-- Using 1 live device(s).
18/4/2014 -- 12:46:39 - <info>-- using interface pppoe0
18/4/2014 -- 12:46:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
18/4/2014 -- 12:46:39 - <info>-- Found an MTU of 1492 for 'pppoe0'
18/4/2014 -- 12:46:39 - <info>-- Set snaplen to 1492 for 'pppoe0'
18/4/2014 -- 12:46:39 - <info>-- RunModeIdsPcapAutoFp initialised
18/4/2014 -- 12:46:39 - <info>-- stream "max-sessions": 262144
18/4/2014 -- 12:46:39 - <info>-- stream "prealloc-sessions": 32768
18/4/2014 -- 12:46:39 - <info>-- stream "memcap": 33554432
18/4/2014 -- 12:46:39 - <info>-- stream "midstream" session pickups: disabled
18/4/2014 -- 12:46:39 - <info>-- stream "async-oneside": disabled
18/4/2014 -- 12:46:39 - <info>-- stream "checksum-validation": disabled
18/4/2014 -- 12:46:39 - <info>-- stream."inline": disabled
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "memcap": 67108864
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "depth": 0
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
18/4/2014 -- 12:46:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
18/4/2014 -- 12:46:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
18/4/2014 -- 12:46:39 - <info>-- 1 rule files processed. 163 rules successfully loaded, 0 rules failed
18/4/2014 -- 12:46:39 - <info>-- 163 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 35 inspect application layer, 76 are decoder event only
18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 2: building source address list... complete
18/4/2014 -- 12:46:39 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
18/4/2014 -- 12:46:39 - <info>-- Signature(s) loaded, Detect thread(s) activated.
18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
18/4/2014 -- 12:46:40 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
( lots of repeats snipped )</error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

Yep, that is the problem – PPPoE does not appear to be supported by the underlying Suricata binary.  I will research to see if there is anything I might could do to address this.  I seem to remember some folks using Snort just fine on a PPPoE interface, and Snort and Suricata both are using the same libpcap library on pfSense.

Bill

BBcan177

@bmeeks:

Yep, that is the problem – PPPoE does not appear to be supported by the underlying Suricata binary.  I will research to see if there is anything I might could do to address this.  I seem to remember some folks using Snort just fine on a PPPoE interface, and Snort and Suricata both are using the same libpcap library on pfSense.

I have one of my pfSense boxes on ppoe with Snort for over a year without any issue like this. Just an FYI.

Mr. Jingles

I can confirm I have the same problem, my log is flooded with this:

suricata: 14/6/2014 -- 12:13:21 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>

This might perhaps also explain why I don't see any hits on WAN (VDSL2) (but also not on WAN2 (Cable), for that matter), but quite some on LAN.

Suricata 1.4.6 pkg v1.0.3

It runs on VDSL2 (PPPoE), Cable (DHCP), and LAN.

Snort, which I ran for over a year did not show these errors. I only switched to Suricata yesterday as smart people in here recommended to do so.

Cino

I'm trying to setup Suricata basically the same way I have snort configured today and I may have found an issue or maybe the snort code wasn't carried over.

Home Net and External Net are not pulling from 'Pass Lists' tab like they do in Snort. Only the Pass List area is able to pull from the list in Suricata..

Another issue I found is in the Alert log… In Snort, IPv6 address are compress if there are a bunch of 0:0:0... So an address may look like 123:345:567::1. In Suricata, they are displaying like 123:345:567:0000:0000:0000:0000:1..  Hopefully that is something that can be fix

thanks again!!

dotOne

It seems suricata has the same issue with the IPv6 link-local address as Snort has.
The default home net has the external link-local address with the interface reference in it.
This results in an error when parsing the home nets.

Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <error>-- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.0.8.0/24,10.0.9.0/24,10.0.18.0/24,10.0.19.0/24,64.4.0.0/18,64.233.160.0/19,65.52.0.0/14,66.102.0.0/20,66.249.64.0/19,72.14.192.0/18,74.125.0.0/16,82.75.177.152/32,82.94.229.0/24,82.101.62.110/32,127.0.0.1,131.253.21.0/24,131.253.22.0/23,131.253.24.0/21,131.253.32.0/20,157.54.0.0/32,157.56.0.0/14,157.60.0.0/16,172.16.1.0/24,172.16.3.0/24,192.168.1.0/24,192.168.2.0/24,192.168.10.0/24,194.109.0.0/16,194.109.5.175,194.109.6.66,194.109.9.99,207.46.0.0/16,207.68.128.0/18,207.68.192.0/20,209.85.128.0/17,212.238.xxx.xxx,213.75.10.0/24,213.84.136.0/24,216.239.32.0/18,2001:888:0:6::66,2001:888:0:9::99,2001:888:0:80::1/128,2001:888:2000:49::/48,2001:xxxx:xxxx:0:xxxx:xxxx:xxxx:xxxx/128,2001:xxxx:xxxx:1::/64,2001:xxxx:xxxx:2::/64,2001:xxxx:xxxx:3::/64,fe80::2a0:a50f:fc78:5530,[b]fe80::290:bff:fe32:5b2e%em0]". Please check it's syntax
Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <error>-- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "fe80::290:bff:fe32:5b2e%em0"
Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <error>-- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "fe80::290:bff:fe32:5b2e%em0"
Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <info>-- AutoFP mode using "Active Packets" flow load balancer
Jun 25 15:41:05 suricata: 25/6/2014 -- 15:41:05 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
Jun 25 15:41:05 suricata: 25/6/2014 -- 15:41:05 - <info>-- preallocated 65535 defrag trackers of size 120
Jun 25 15:41:05 suricata: 25/6/2014 -- 15:41:05 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24</info></info></info></info></error></error></error>

Using snort I can supply a home list and an external net by creating an alias.
On suricata I can create an alias but it will not show up in the drop-down list.

When looking in suricata_interfaces_edit.php I see the drop-down is populated using a passlist, however I cannot create a whitelist but only a passlist (used in the alert suppression).

home net: line 697:
               
               
                        <select name="homelistname" class="formselect" id="homelistname">                                                                        echo "<option value="default">default</option>";                                        /* find whitelist names and filter by type /                                        if (is_array($suricataglob['whitelist']['item'])) {                                                foreach ($suricataglob[[color=blue]'whitelist']['item'] as $value) {                                                        $ilistname = $value['name'];                                                        if ($ilistname == $pconfig['homelistname'])                                                                echo "<option value="$ilistname" selected="">";                                                        else                                                                echo "</option><option value="$ilistname">";                                                        echo htmlspecialchars($ilistname) . '</option>';Alert suppression: line 775:                                                       </select>
                                                        / find passlist names and filter by type, make sure to track by uuid */
                                echo "<option value="default">default</option>\n";
                                if (is_array($suricataglob['passlist']['item'])) {
                                        foreach ($suricataglob['passlist']['item'] as $value) {
                                                if ($value['name'] == $pconfig['passlistname'])
                                                        echo "<option value="{$value[" name']}'="" selected="">";</option>

bmeeks

@avink:

It seems suricata has the same issue with the IPv6 link-local address as Snort has.
The default home net has the external link-local address with the interface reference in it.
This results in an error when parsing the home nets.

Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <error>-- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.0.8.0/24,10.0.9.0/24,10.0.18.0/24,10.0.19.0/24,64.4.0.0/18,64.233.160.0/19,65.52.0.0/14,66.102.0.0/20,66.249.64.0/19,72.14.192.0/18,74.125.0.0/16,82.75.177.152/32,82.94.229.0/24,82.101.62.110/32,127.0.0.1,131.253.21.0/24,131.253.22.0/23,131.253.24.0/21,131.253.32.0/20,157.54.0.0/32,157.56.0.0/14,157.60.0.0/16,172.16.1.0/24,172.16.3.0/24,192.168.1.0/24,192.168.2.0/24,192.168.10.0/24,194.109.0.0/16,194.109.5.175,194.109.6.66,194.109.9.99,207.46.0.0/16,207.68.128.0/18,207.68.192.0/20,209.85.128.0/17,212.238.xxx.xxx,213.75.10.0/24,213.84.136.0/24,216.239.32.0/18,2001:888:0:6::66,2001:888:0:9::99,2001:888:0:80::1/128,2001:888:2000:49::/48,2001:xxxx:xxxx:0:xxxx:xxxx:xxxx:xxxx/128,2001:xxxx:xxxx:1::/64,2001:xxxx:xxxx:2::/64,2001:xxxx:xxxx:3::/64,fe80::2a0:a50f:fc78:5530,[b]fe80::290:bff:fe32:5b2e%em0]". Please check it's syntax
Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <error>-- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "fe80::290:bff:fe32:5b2e%em0"
Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <error>-- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "fe80::290:bff:fe32:5b2e%em0"
Jun 25 15:41:05 suricata: 25/6/2014 – 15:41:05 - <info>-- AutoFP mode using "Active Packets" flow load balancer
Jun 25 15:41:05 suricata: 25/6/2014 -- 15:41:05 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
Jun 25 15:41:05 suricata: 25/6/2014 -- 15:41:05 - <info>-- preallocated 65535 defrag trackers of size 120
Jun 25 15:41:05 suricata: 25/6/2014 -- 15:41:05 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24</info></info></info></info></error></error></error>

Using snort I can supply a home list and an external net by creating an alias.
On suricata I can create an alias but it will not show up in the drop-down list.

When looking in suricata_interfaces_edit.php I see the drop-down is populated using a passlist, however I cannot create a whitelist but only a passlist (used in the alert suppression).

home net: line 697:
               
               
                        <select name="homelistname" class="formselect" id="homelistname">                                                                        echo "<option value="default">default</option>";                                        /* find whitelist names and filter by type /                                        if (is_array($suricataglob['whitelist']['item'])) {                                                foreach ($suricataglob[[color=blue]'whitelist']['item'] as $value) {                                                        $ilistname = $value['name'];                                                        if ($ilistname == $pconfig['homelistname'])                                                                echo "<option value="$ilistname" selected="">";                                                        else                                                                echo "</option><option value="$ilistname">";                                                        echo htmlspecialchars($ilistname) . '</option>';Alert suppression: line 775:                                                       </select>
                                                        / find passlist names and filter by type, make sure to track by uuid */
                                echo "<option value="default">default</option>\n";
                                if (is_array($suricataglob['passlist']['item'])) {
                                        foreach ($suricataglob['passlist']['item'] as $value) {
                                                if ($value['name'] == $pconfig['passlistname'])
                                                        echo "<option value="{$value[" name']}'="" selected="">";</option>

I think you have indeed identified a bug in the code.  I'm sorry that one slipped by me.  I only recently obtained an IPv6 tunnel broker setup so I could test IPv6 in the flesh instead just in a limited VM world.

I will add this to my TODO list of fixes for Suricata.  I am currently working on moving that package to the 2.0.1 Suricata binary code base, so please be patient with me a little bit longer.  If I run into any significant delays with the 2.0.x update, I will push out a fix for this and several other reported bugs in a 1.4.6 binary update.

Bill

Cino

bill, thanks again for all the work you have done with suricata and snort.

not sure if this is on your todo list, but take a look at how the below alerts are displayed in the gui:

06/25/2014-19:15:45.695657,,1,2009768,4,ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration,Attempted Information Leak,2,UDP,192.168.0.100,137,224.0.0.252,137
06/25/2014-19:15:47.205405,,1,2009768,4,ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration,Attempted Information Leak,2,UDP,192.168.0.100,137,224.0.0.252,137
06/25/2014-19:15:48.705994,,1,2009768,4,ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration,Attempted Information Leak,2,UDP,192.168.0.100,137,224.0.0.252,137
06/25/2014-19:16:41.348884,,1,2012247,3,ET P2P BTWebClient UA uTorrent in use,Potential Corporate Privacy Violation,1,TCP,192.168.0.100,64434,194.71.107.17,80
06/25/2014-19:16:44.330005,,1,2012247,3,ET P2P BTWebClient UA uTorrent in use,Potential Corporate Privacy Violation,1,TCP,192.168.0.100,64443,185.19.104.90,80
06/25/2014-19:16:44.584111,,1,2012247,3,ET P2P BTWebClient UA uTorrent in use,Potential Corporate Privacy Violation,1,TCP,192.168.0.100,64444,185.19.104.90,80

i'm pretty sure its because of the comma in the alert description. pushed everything over a column.

dotOne

Modified suricata_interfaces_edit.php to be able to use the Home Net alias.
Also modified the /usr/local/pkg/suricata/suricata.inc to remove the interface reference from the link-local address.

Now suricata neatly generates the configuration file.
However, since I'm running over a PPPoE link, the syslog is filling with the 'datalink not supported' errors.

Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap
Jun 26 09:09:04 suricata[20617]: 26/6/2014 – 09:09:04 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error></error></error></error></error></error></error></error></error>

I hope we will find a solution for this too.
Snort is running without problems as mentioned by others also.

bmeeks

@Cino:

bill, thanks again for all the work you have done with suricata and snort.

not sure if this is on your todo list, but take a look at how the below alerts are displayed in the gui:

06/25/2014-19:15:45.695657,,1,2009768,4,ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration,Attempted Information Leak,2,UDP,192.168.0.100,137,224.0.0.252,137
06/25/2014-19:15:47.205405,,1,2009768,4,ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration,Attempted Information Leak,2,UDP,192.168.0.100,137,224.0.0.252,137
06/25/2014-19:15:48.705994,,1,2009768,4,ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration,Attempted Information Leak,2,UDP,192.168.0.100,137,224.0.0.252,137
06/25/2014-19:16:41.348884,,1,2012247,3,ET P2P BTWebClient UA uTorrent in use,Potential Corporate Privacy Violation,1,TCP,192.168.0.100,64434,194.71.107.17,80
06/25/2014-19:16:44.330005,,1,2012247,3,ET P2P BTWebClient UA uTorrent in use,Potential Corporate Privacy Violation,1,TCP,192.168.0.100,64443,185.19.104.90,80
06/25/2014-19:16:44.584111,,1,2012247,3,ET P2P BTWebClient UA uTorrent in use,Potential Corporate Privacy Violation,1,TCP,192.168.0.100,64444,185.19.104.90,80

i'm pretty sure its because of the comma in the alert description. pushed everything over a column.

Ouch!  That's going to be a tough one to fix.  The whole premise of parsing the alert text is based on splitting the fields on the commas.  I'll have to chew on that one.

Bill

G.D. Wusser Esq.

@bmeeks:

Ouch!  That's going to be a tough one to fix.  The whole premise of parsing the alert text is based on splitting the fields on the commas.  I'll have to chew on that one.

Yes, that should be fixed from the other end.
Rfc4180.2.6: “Fields containing line breaks (CRLF), double quotes, and commas should be enclosed in double-quotes.”

Cino

@G.D.:

@bmeeks:

Ouch!  That's going to be a tough one to fix.  The whole premise of parsing the alert text is based on splitting the fields on the commas.  I'll have to chew on that one.

Yes, that should be fixed from the other end.
Rfc4180.2.6: “Fields containing line breaks (CRLF), double quotes, and commas should be enclosed in double-quotes.”

agreed!

adam65535

Has anyone tried this on 2.2 ALPHA yet?  I keep getting emails from cron because it appears cron on 2.2 sends emails when there is output in a cronjob.  I actually like that it does that on 2.2 for my own purposes but for Suricata I get an email every 5 minutes when it prunes the block list and also when the ids rules get updated…

Subject: Cron <root@pfsense> /usr/bin/nice -n20 /sbin/pfctl -t snort2c -T expire 3600

X-Cron-Env: <shell= bin="" sh="">
X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">
X-Cron-Env: <home= var="" log="">
X-Cron-Env: <logname=root>
X-Cron-Env: <user=root>

0/0 addresses expired.</user=root></logname=root></home=></path=></shell=></root@pfsense>

Subject: Cron <root@pfsense> /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php

X-Cron-Env: <shell= bin="" sh="">
X-Cron-Env: <path= etc:="" bin:="" sbin:="" usr="" sbin="">
X-Cron-Env: <home= var="" log="">
X-Cron-Env: <logname=root>
X-Cron-Env: <user=root>

1%   2%   4%   5%   6%   7%   8%   9%  10%  20%  30%  40%  50%  60%  70%  80%  90% 100%</user=root></logname=root></home=></path=></shell=></root@pfsense>

BBcan177

@adam65535:

Has anyone tried this on 2.2 ALPHA yet?  I keep getting emails from cron because it appears cron on 2.2 sends emails when there is output in a cronjob.  I actually like that it does that on 2.2 for my own purposes but for Suricata I get an email every 5 minutes when it prunes the block list and also when the ids rules get updated…

Subject: Cron root@pfsense/usr/bin/nice -n20 /sbin/pfctl -t snort2c -T expire 3600/root@pfsense

Hi Adam,

You could try to add "2>&1" to the Cron job and see if that fixes it?

[  [b]/usr/bin/nice -n20 /sbin/pfctl -t snort2c -T expire 3600 2>&1  ]

If you have the Cron package, you can do that without going into the Shell to edit Cron.

However, if you make any changes to the Snort Interfaces, it could get reset by

[  [b]/usr/local/pkg/snort/snort.inc  ]  which write that line into CRON.

adam65535

Thanks for the response.

I added -q to the pfctl command to silence the output.  That worked.  The ids rules update I don't mind getting notified when they update so I am leaving that one.

*/5     *       *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 3600

Hopefully he can add that to the next version.

EDIT:

However, if you make any changes to the Snort Interfaces, it could get reset by

[  /usr/local/pkg/snort/snort.inc  ]  which write that line into CRON.

Ah… I will need to edit snort.inc too.  Thanks for that.

EDIT2:

I actually had to edit /usr/local/pkg/suricata/suricata.inc obviously.

BBcan177

@adam65535:

Thanks for the response.
Ah… I will need to edit snort.inc too.  Thanks for that.

Anytime!

bmeeks

@adam65535:

Thanks for the response.

I added -q to the pfctl command to silence the output.  That worked.  The ids rules update I don't mind getting notified when they update so I am leaving that one.

*/5     *       *       *       *       root    /usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire 3600

Hopefully he can add that to the next version.

EDIT:

However, if you make any changes to the Snort Interfaces, it could get reset by

[  /usr/local/pkg/snort/snort.inc  ]  which write that line into CRON.

Ah… I will need to edit snort.inc too.  Thanks for that.

EDIT2:

I actually had to edit /usr/local/pkg/suricata/suricata.inc obviously.

I'll add this one to my TODO list of Suricata fixes.  Thanks for the report.

Bill

Cino

@bill if you dont mind, add this to snort when you have time

bmeeks

@Cino:

@bill if you dont mind, add this to snort when you have time

OK.  I added it to the currently open Pull Request for Snort.

Bill

Cino

Is anyone else having startup issues with more then 1 interface/sensor?

When I reboot my box or use Services to (re)start Suricata, they start but not fully… No alerting
When i manually start them, no issues and alerting starts within a few minutes

log from a reboot:

WAN
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:43 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:43 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:43 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:43 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:43 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:43 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:43 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:43 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:43 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:43 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "l!" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/ at line 1
8/7/2014 -- 12:37:43 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/
8/7/2014 -- 12:37:43 - <info>-- 2 rule files processed. 17 rules successfully loaded, 1 rules failed
8/7/2014 -- 12:37:43 - <info>-- 17 signatures processed. 0 are IP-only rules, 13 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:43 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 12:37:43 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:43 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:43 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:43 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 12:37:43 - <info>-- using normal logging
8/7/2014 -- 12:37:43 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:43 - <info>-- using interface em3
8/7/2014 -- 12:37:43 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:43 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:43 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:43 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:43 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:43 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:43 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:43 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:43 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:44 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:38:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:45 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:45 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:45 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:45 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:45 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:45 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:45 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:45 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:45 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:45 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/
8/7/2014 -- 12:37:45 - <info>-- 2 rule files processed. 11 rules successfully loaded, 0 rules failed
8/7/2014 -- 12:37:45 - <info>-- 11 signatures processed. 0 are IP-only rules, 7 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:45 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 12:37:45 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:46 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:46 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:46 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 12:37:46 - <info>-- using normal logging
8/7/2014 -- 12:37:46 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:46 - <info>-- using interface em2
8/7/2014 -- 12:37:46 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:46 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:46 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:46 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:46 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:46 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:46 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:46 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:46 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:40:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

Log from a manually start:

WAN
8/7/2014 -- 13:15:48 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:15:49 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:15:49 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:15:49 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:15:49 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:15:49 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:15:49 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- IP reputation disabled
8/7/2014 -- 13:15:49 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:15:49 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:15:49 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:15:49 - <info>-- Delayed detect disabled
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8277
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8452
8/7/2014 -- 13:16:31 - <info>-- 2 rule files processed. 14450 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:17:48 - <info>-- 14455 signatures processed. 23 are IP-only rules, 4574 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:17:48 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:17:54 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:18:40 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:18:47 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 13:18:47 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:18:47 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:18:47 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:18:47 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 13:18:47 - <info>-- using normal logging
8/7/2014 -- 13:18:47 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:18:47 - <info>-- using interface em3
8/7/2014 -- 13:18:47 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:18:47 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbb50
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbd48
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbf40
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec138
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec330
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec528
8/7/2014 -- 13:18:47 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:18:47 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:18:47 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:18:47 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:18:47 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:18:47 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:18:47 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:18:47 - <info>-- stream."inline": disabled
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:18:51 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 13:20:47 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:20:48 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:20:48 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:20:48 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:20:48 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:20:48 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:20:48 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- IP reputation disabled
8/7/2014 -- 13:20:48 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:20:48 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:20:48 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:20:48 - <info>-- Delayed detect disabled
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8280
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8455
8/7/2014 -- 13:21:28 - <info>-- 2 rule files processed. 14447 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:22:47 - <info>-- 14452 signatures processed. 23 are IP-only rules, 4571 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:22:47 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:22:52 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:23:32 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:23:39 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 13:23:39 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:23:39 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:23:39 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:23:39 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 13:23:39 - <info>-- using normal logging
8/7/2014 -- 13:23:39 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:23:39 - <info>-- using interface em2
8/7/2014 -- 13:23:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:23:39 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003346c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033664
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003385c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033a54
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033c4c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033e44
8/7/2014 -- 13:23:39 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:23:39 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:23:39 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:23:39 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:23:39 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:23:39 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:23:39 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:23:39 - <info>-- stream."inline": disabled
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:26:02 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

I also noticed it doesn't like IPv6 subnets in the passlist, im using the same list I currently use for snort.

bmeeks

@Cino:

Is anyone else having startup issues with more then 1 interface/sensor?

When I reboot my box or use Services to (re)start Suricata, they start but not fully… No alerting
When i manually start them, no issues and alerting starts within a few minutes

log from a reboot:

WAN
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:43 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:43 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:43 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:43 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:43 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:43 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:43 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:43 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:43 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:43 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:43 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:43 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:43 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "l!" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/ at line 1
8/7/2014 -- 12:37:43 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/
8/7/2014 -- 12:37:43 - <info>-- 2 rule files processed. 17 rules successfully loaded, 1 rules failed
8/7/2014 -- 12:37:43 - <info>-- 17 signatures processed. 0 are IP-only rules, 13 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:43 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:43 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 12:37:43 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:43 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:43 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:43 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:43 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:43 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 12:37:43 - <info>-- using normal logging
8/7/2014 -- 12:37:43 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:43 - <info>-- using interface em3
8/7/2014 -- 12:37:43 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:43 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 12:37:43 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:43 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:43 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:43 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:43 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:43 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:43 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:43 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:43 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:44 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:38:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 12:37:45 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 12:37:45 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 12:37:45 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 12:37:45 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 12:37:45 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 12:37:45 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 12:37:45 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 12:37:45 - <info>-- IP reputation disabled
8/7/2014 -- 12:37:45 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 12:37:45 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 12:37:45 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 12:37:45 - <info>-- Delayed detect disabled
8/7/2014 -- 12:37:45 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/
8/7/2014 -- 12:37:45 - <info>-- 2 rule files processed. 11 rules successfully loaded, 0 rules failed
8/7/2014 -- 12:37:45 - <info>-- 11 signatures processed. 0 are IP-only rules, 7 are inspecting packet payload, 4 inspect application layer, 0 are decoder event only
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 12:37:45 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 12:37:45 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 12:37:45 - <info>-- Core dump size is unlimited.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 12:37:46 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 12:37:46 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 12:37:46 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 12:37:46 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 12:37:46 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 12:37:46 - <info>-- using normal logging
8/7/2014 -- 12:37:46 - <info>-- Using 1 live device(s).
8/7/2014 -- 12:37:46 - <info>-- using interface em2
8/7/2014 -- 12:37:46 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 12:37:46 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 12:37:46 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 12:37:46 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 12:37:46 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 12:37:46 - <info>-- stream "memcap": 33554432
8/7/2014 -- 12:37:46 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 12:37:46 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 12:37:46 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 12:37:46 - <info>-- stream."inline": disabled
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 12:37:46 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 12:40:23 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

Log from a manually start:

WAN
8/7/2014 -- 13:15:48 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:15:49 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:15:49 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:15:49 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:15:49 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:15:49 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:15:49 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:15:49 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:15:49 - <info>-- IP reputation disabled
8/7/2014 -- 13:15:49 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:15:49 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:15:49 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:15:49 - <info>-- Delayed detect disabled
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8277
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:16:11 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/rules/suricata.rules at line 8452
8/7/2014 -- 13:16:31 - <info>-- 2 rule files processed. 14450 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:17:48 - <info>-- 14455 signatures processed. 23 are IP-only rules, 4574 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:17:48 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:17:54 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:18:40 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:18:47 - <info>-- Threshold config parsed: 0 rule(s) found
8/7/2014 -- 13:18:47 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:18:47 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em3/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:18:47 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:18:47 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:18:47 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:18:47 - <info>-- Using log dir /var/log/suricata/suricata_em339811
8/7/2014 -- 13:18:47 - <info>-- using normal logging
8/7/2014 -- 13:18:47 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:18:47 - <info>-- using interface em3
8/7/2014 -- 13:18:47 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:18:47 - <info>-- Found an MTU of 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- Set snaplen to 1500 for 'em3'
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbb50
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbd48
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x320dbf40
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec138
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec330
8/7/2014 -- 13:18:47 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:18:47 - <info>-- returning 0x339ec528
8/7/2014 -- 13:18:47 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:18:47 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:18:47 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:18:47 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:18:47 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:18:47 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:18:47 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:18:47 - <info>-- stream."inline": disabled
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:18:47 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:18:51 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used

LAN
8/7/2014 -- 13:20:47 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 65535 defrag trackers of size 88
8/7/2014 -- 13:20:48 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- AutoFP mode using "Active Packets" flow load balancer
8/7/2014 -- 13:20:48 - <info>-- preallocated 1024 packets. Total memory 3135488
8/7/2014 -- 13:20:48 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 1000 hosts of size 60
8/7/2014 -- 13:20:48 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
8/7/2014 -- 13:20:48 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
8/7/2014 -- 13:20:48 - <info>-- preallocated 10000 flows of size 144
8/7/2014 -- 13:20:48 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
8/7/2014 -- 13:20:48 - <info>-- IP reputation disabled
8/7/2014 -- 13:20:48 - <info>-- Added "35" classification types from the classification file
8/7/2014 -- 13:20:48 - <info>-- Added "19" reference types from the reference.config file
8/7/2014 -- 13:20:48 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:20:48 - <info>-- Delayed detect disabled
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
8/7/2014 -- 13:21:08 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8280
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_NEGATED_VALUE_IN_PORT_RANGE(56)] - Can't have a negated value in a range.
8/7/2014 -- 13:21:09 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [!21:23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/rules/suricata.rules at line 8455
8/7/2014 -- 13:21:28 - <info>-- 2 rule files processed. 14447 rules successfully loaded, 2 rules failed
8/7/2014 -- 13:22:47 - <info>-- 14452 signatures processed. 23 are IP-only rules, 4571 are inspecting packet payload, 11668 inspect application layer, 74 are decoder event only
8/7/2014 -- 13:22:47 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
8/7/2014 -- 13:22:52 - <info>-- building signature grouping structure, stage 2: building source address list... complete
8/7/2014 -- 13:23:32 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
8/7/2014 -- 13:23:39 - <info>-- Threshold config parsed: 8 rule(s) found
8/7/2014 -- 13:23:39 - <info>-- Core dump size is unlimited.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output device (regular) initialized: block.log
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2001:470:123:123::2/128) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2200::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2205::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Invalid IP(2604:2000:123:2210::/64) parameter provided in Pass List, skipping...
8/7/2014 -- 13:23:39 - <info>-- Pass List /usr/pbi/suricata-i386/etc/suricata/suricata_39811_em2/passlist parsed: 16 IP addresses loaded.
8/7/2014 -- 13:23:39 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
8/7/2014 -- 13:23:39 - <info>-- fast output device (regular) initialized: alerts.log
8/7/2014 -- 13:23:39 - <info>-- http-log output device (regular) initialized: http.log
8/7/2014 -- 13:23:39 - <info>-- Using log dir /var/log/suricata/suricata_em239811
8/7/2014 -- 13:23:39 - <info>-- using normal logging
8/7/2014 -- 13:23:39 - <info>-- Using 1 live device(s).
8/7/2014 -- 13:23:39 - <info>-- using interface em2
8/7/2014 -- 13:23:39 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
8/7/2014 -- 13:23:39 - <info>-- Found an MTU of 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- Set snaplen to 1500 for 'em2'
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003346c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033664
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x4003385c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033a54
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033c4c
8/7/2014 -- 13:23:39 - <info>-- using magic-file /usr/share/misc/magic
8/7/2014 -- 13:23:39 - <info>-- returning 0x40033e44
8/7/2014 -- 13:23:39 - <info>-- RunModeIdsPcapAutoFp initialised
8/7/2014 -- 13:23:39 - <info>-- stream "max-sessions": 262144
8/7/2014 -- 13:23:39 - <info>-- stream "prealloc-sessions": 32768
8/7/2014 -- 13:23:39 - <info>-- stream "memcap": 33554432
8/7/2014 -- 13:23:39 - <info>-- stream "midstream" session pickups: disabled
8/7/2014 -- 13:23:39 - <info>-- stream "async-oneside": disabled
8/7/2014 -- 13:23:39 - <info>-- stream "checksum-validation": disabled
8/7/2014 -- 13:23:39 - <info>-- stream."inline": disabled
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "memcap": 67108864
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "depth": 0
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toserver-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- stream.reassembly "toclient-chunk-size": 2560
8/7/2014 -- 13:23:39 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
8/7/2014 -- 13:26:02 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 

I also noticed it doesn't like IPv6 subnets in the passlist, im using the same list I currently use for snort.

Not sure about why you have a problem with a reboot restart versus a manual restart.  I have not noticed that in my earlier testing.  Will look at it again, though.  As for the IPv6 issue in a Pass List, that has been reported by another user.  I will check on that for the next update.

Bill

Cino

thanks Bill!! I've made a ton of adjustments to what rules are enabled/disabled.. I'm wondering if the generating of the ruleset is the issue. A restart doesn't seem load all the rules.

Thanks again for all your help with this package!

Stephen

Cino

Noticed something else this morning, the cron job that removes IPs from snort2c seems to disappears after a reboot. I have to go to into the global tab and save it so the job is recreated.

EDIT: Nevermind… Its not because of a reboot... When I make changes to snort, it removes the cron job because I deactivated blocking in snort