Multiple problems with Suricata service - (instability and crashes)



  • I have Suricata enabled for two interfaces WAN and LAN (which is a bridge of LAN1 and LAN2 which are two ports on an intel 4port 10/100/1000 card).

    • When I click the icon to stop Suricata on an interface, the page reloads, but nothing was stopped.
      –(At this point, the only way I can get that to function again is to stop the service from Status->Services)
    • Many times when I check, the LAN interface will show as not running, and I have to start it again.


  • So far the issue with LAN monitoring spontaneously disabling itself only seems to happen when I have Suricata running on LAN and WAN at the same time.
    I disabled it on WAN and I haven't seen this occur yet.

    The other issue still applies.


  • Moderator

    When you click on the stop icon, it will take some time to stop, just let it be and click "refresh" until it stops by itself.

    Run this command at the CLI, to make sure that you have only one process of Suricata running per interface. When it stops, it should not report any PIDS.

    pgrep suricata



  • Ok, it stopped on its own somewhere between 11:24pm (last detection) yesterday and 9am today with no interaction from me.

    This time it was running on the LAN interface only.

    And

    
    $ pgrep suricata
    
    

    as well as

    
    $ ps -ax |grep suricata
    10944  ??  S      0:00.00 sh -c ps -ax |grep suricata 2>&1
    11194  ??  S      0:00.00 grep suricata
    
    

    Here's what I was able to pull remotely from the UI for suricata.log

    
    18/7/2014 -- 06:48:36 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
    18/7/2014 -- 06:48:37 - <info>-- preallocated 65535 defrag trackers of size 88
    18/7/2014 -- 06:48:37 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
    18/7/2014 -- 06:48:37 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    18/7/2014 -- 06:48:37 - <info>-- preallocated 1024 packets. Total memory 3135488
    18/7/2014 -- 06:48:37 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
    18/7/2014 -- 06:48:37 - <info>-- preallocated 1000 hosts of size 60
    18/7/2014 -- 06:48:37 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
    18/7/2014 -- 06:48:37 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
    18/7/2014 -- 06:48:37 - <info>-- preallocated 10000 flows of size 144
    18/7/2014 -- 06:48:37 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
    18/7/2014 -- 06:48:37 - <info>-- IP reputation disabled
    18/7/2014 -- 06:48:37 - <info>-- Added "35" classification types from the classification file
    18/7/2014 -- 06:48:37 - <info>-- Added "19" reference types from the reference.config file
    18/7/2014 -- 06:48:37 - <info>-- using magic-file /usr/share/misc/magic
    18/7/2014 -- 06:48:37 - <info>-- Delayed detect disabled
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
    18/7/2014 -- 06:48:37 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
    18/7/2014 -- 06:49:05 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
    18/7/2014 -- 06:49:30 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
    18/7/2014 -- 06:49:30 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    18/7/2014 -- 06:49:32 - <info>-- building signature grouping structure, stage 2: building source address list... complete
    18/7/2014 -- 06:49:49 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
    18/7/2014 -- 06:49:55 - <info>-- Threshold config parsed: 2 rule(s) found
    18/7/2014 -- 06:49:55 - <info>-- Core dump size is unlimited.
    18/7/2014 -- 06:49:55 - <info>-- fast output device (regular) initialized: alerts.log
    18/7/2014 -- 06:49:55 - <info>-- Using 1 live device(s).
    18/7/2014 -- 06:49:55 - <info>-- using interface bridge0
    18/7/2014 -- 06:49:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    18/7/2014 -- 06:49:55 - <info>-- Found an MTU of 1500 for 'bridge0'
    18/7/2014 -- 06:49:55 - <info>-- Set snaplen to 1500 for 'bridge0'
    18/7/2014 -- 06:49:55 - <info>-- RunModeIdsPcapAutoFp initialised
    18/7/2014 -- 06:49:55 - <info>-- stream "max-sessions": 262144
    18/7/2014 -- 06:49:55 - <info>-- stream "prealloc-sessions": 32768
    18/7/2014 -- 06:49:55 - <info>-- stream "memcap": 33554432
    18/7/2014 -- 06:49:55 - <info>-- stream "midstream" session pickups: disabled
    18/7/2014 -- 06:49:55 - <info>-- stream "async-oneside": disabled
    18/7/2014 -- 06:49:55 - <info>-- stream "checksum-validation": disabled
    18/7/2014 -- 06:49:55 - <info>-- stream."inline": disabled
    18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "memcap": 67108864
    18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "depth": 0
    18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560
    18/7/2014 -- 06:49:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560
    18/7/2014 -- 06:49:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
    18/7/2014 -- 06:49:55 - <info>-- Signal Received.  Stopping engine.
    18/7/2014 -- 06:49:55 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
    18/7/2014 -- 06:49:55 - <info>-- time elapsed 0.091s
    18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Packets 0, bytes 0
    18/7/2014 -- 06:49:55 - <info>-- (RxPcapbridg) Pcap Total:5 Recv:5 Drop:0 (0.0%).
    18/7/2014 -- 06:49:55 - <info>-- AutoFP - Total flow handler queues - 1
    18/7/2014 -- 06:49:55 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
    18/7/2014 -- 06:49:55 - <info>-- Stream TCP processed 0 TCP packets
    18/7/2014 -- 06:49:55 - <info>-- Fast log output wrote 0 alerts
    18/7/2014 -- 06:49:55 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
    18/7/2014 -- 06:49:56 - <info>-- cleaning up signature grouping structure... complete
    18/7/2014 -- 06:49:57 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
    


  • It stopped again, this time running exclusively on that interface

    
    21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
    21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88
    21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
    21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488
    21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
    21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60
    21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
    21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
    21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144
    21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
    21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled
    21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file
    21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file
    21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic
    21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
    21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
    21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
    21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete
    21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
    21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found
    21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited.
    21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log
    21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s).
    21/7/2014 -- 09:18:54 - <info>-- using interface bridge0
    21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0'
    21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0'
    21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised
    21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144
    21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768
    21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432
    21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled
    21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled
    21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled
    21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560
    21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
    21/7/2014 -- 09:18:54 - <info>-- Signal Received.  Stopping engine.
    21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
    21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s
    21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0
    21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%).
    21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1
    21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
    21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets
    21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts
    21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
    21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete
    21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
    


  • @Trel:

    It stopped again, this time running exclusively on that interface

    
    21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
    21/7/2014 -- 09:17:32 - <info>-- preallocated 65535 defrag trackers of size 88
    21/7/2014 -- 09:17:32 - <info>-- defrag memory usage: 6553512 bytes, maximum: 33554432
    21/7/2014 -- 09:17:32 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    21/7/2014 -- 09:17:32 - <info>-- preallocated 1024 packets. Total memory 3135488
    21/7/2014 -- 09:17:32 - <info>-- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
    21/7/2014 -- 09:17:32 - <info>-- preallocated 1000 hosts of size 60
    21/7/2014 -- 09:17:32 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
    21/7/2014 -- 09:17:32 - <info>-- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
    21/7/2014 -- 09:17:32 - <info>-- preallocated 10000 flows of size 144
    21/7/2014 -- 09:17:32 - <info>-- flow memory usage: 2226432 bytes, maximum: 33554432
    21/7/2014 -- 09:17:32 - <info>-- IP reputation disabled
    21/7/2014 -- 09:17:32 - <info>-- Added "35" classification types from the classification file
    21/7/2014 -- 09:17:32 - <info>-- Added "19" reference types from the reference.config file
    21/7/2014 -- 09:17:32 - <info>-- using magic-file /usr/share/misc/magic
    21/7/2014 -- 09:17:32 - <info>-- Delayed detect disabled
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 59
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 93
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 128
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 188
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 290
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 291
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 297
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 416
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 420
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_header seen with a distance or within without a previous http_header content.  Invalidating signature.
    21/7/2014 -- 09:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:1;)" from file /usr/pbi/suricata-i386/etc/suricata/suricata_32366_bridge0/rules/suricata.rules at line 490
    21/7/2014 -- 09:18:02 - <info>-- 2 rule files processed. 15137 rules successfully loaded, 10 rules failed
    21/7/2014 -- 09:18:28 - <info>-- 15138 signatures processed. 891 are IP-only rules, 4280 are inspecting packet payload, 11544 inspect application layer, 0 are decoder event only
    21/7/2014 -- 09:18:28 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    21/7/2014 -- 09:18:30 - <info>-- building signature grouping structure, stage 2: building source address list... complete
    21/7/2014 -- 09:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
    21/7/2014 -- 09:18:54 - <info>-- Threshold config parsed: 2 rule(s) found
    21/7/2014 -- 09:18:54 - <info>-- Core dump size is unlimited.
    21/7/2014 -- 09:18:54 - <info>-- fast output device (regular) initialized: alerts.log
    21/7/2014 -- 09:18:54 - <info>-- Using 1 live device(s).
    21/7/2014 -- 09:18:54 - <info>-- using interface bridge0
    21/7/2014 -- 09:18:54 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    21/7/2014 -- 09:18:54 - <info>-- Found an MTU of 1500 for 'bridge0'
    21/7/2014 -- 09:18:54 - <info>-- Set snaplen to 1500 for 'bridge0'
    21/7/2014 -- 09:18:54 - <info>-- RunModeIdsPcapAutoFp initialised
    21/7/2014 -- 09:18:54 - <info>-- stream "max-sessions": 262144
    21/7/2014 -- 09:18:54 - <info>-- stream "prealloc-sessions": 32768
    21/7/2014 -- 09:18:54 - <info>-- stream "memcap": 33554432
    21/7/2014 -- 09:18:54 - <info>-- stream "midstream" session pickups: disabled
    21/7/2014 -- 09:18:54 - <info>-- stream "async-oneside": disabled
    21/7/2014 -- 09:18:54 - <info>-- stream "checksum-validation": disabled
    21/7/2014 -- 09:18:54 - <info>-- stream."inline": disabled
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "memcap": 67108864
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "depth": 0
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toserver-chunk-size": 2560
    21/7/2014 -- 09:18:54 - <info>-- stream.reassembly "toclient-chunk-size": 2560
    21/7/2014 -- 09:18:54 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
    21/7/2014 -- 09:18:54 - <info>-- Signal Received.  Stopping engine.
    21/7/2014 -- 09:18:54 - <info>-- 0 new flows, 0 established flows were timed out, 0 flows in closed state
    21/7/2014 -- 09:18:54 - <info>-- time elapsed 0.092s
    21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Packets 0, bytes 0
    21/7/2014 -- 09:18:54 - <info>-- (RxPcapbridg) Pcap Total:35 Recv:35 Drop:0 (0.0%).
    21/7/2014 -- 09:18:54 - <info>-- AutoFP - Total flow handler queues - 1
    21/7/2014 -- 09:18:54 - <info>-- AutoFP - Queue 0  - pkts: 0            flows: 0           
    21/7/2014 -- 09:18:54 - <info>-- Stream TCP processed 0 TCP packets
    21/7/2014 -- 09:18:54 - <info>-- Fast log output wrote 0 alerts
    21/7/2014 -- 09:18:54 - <info>-- host memory usage: 109152 bytes, maximum: 16777216
    21/7/2014 -- 09:18:54 - <info>-- cleaning up signature grouping structure... complete
    21/7/2014 -- 09:18:55 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
    

    You appear to be running the Snort VRT ruleset with Suricata.  While most of the rules will work, some don't compile at all, and some may not compile correctly.  You can see the errors from the "failed to compile" rules in your logs.  Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense).  The Emerging Threats rules should all compile and run without a problem.  Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

    I am working on an update to bring Suricata to the 2.0.2 binary on pfSense.  Hopefully I can get that out in about a month – or maybe less.  I have it working in my test environment.  Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

    My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata.  When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

    Bill



  • @bmeeks:

    You appear to be running the Snort VRT ruleset with Suricata.  While most of the rules will work, some don't compile at all, and some may not compile correctly.  You can see the errors from the "failed to compile" rules in your logs.  Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense).  The Emerging Threats rules should all compile and run without a problem.  Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

    I am working on an update to bring Suricata to the 2.0.2 binary on pfSense.  Hopefully I can get that out in about a month – or maybe less.  I have it working in my test environment.  Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

    My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata.  When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

    Bill

    I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface.  If I have it running on WAN, that doesn't happen.

    EDIT, left out the important part of that.
    Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN.



  • @Trel:

    @bmeeks:

    You appear to be running the Snort VRT ruleset with Suricata.  While most of the rules will work, some don't compile at all, and some may not compile correctly.  You can see the errors from the "failed to compile" rules in your logs.  Snort uses some rule keywords and operands that Suricata does not understand (at least the 1.4.6 version currently used on pfSense).  The Emerging Threats rules should all compile and run without a problem.  Of course those rules do not offer the convenient IPS Policy settings that are in the Snort rules.

    I am working on an update to bring Suricata to the 2.0.2 binary on pfSense.  Hopefully I can get that out in about a month – or maybe less.  I have it working in my test environment.  Hopefully the newer binary will play better with the Snort VRT rules, but I still don't expect 100% compliance.

    My theory in your specific case is some particular alert or network traffic pattern is triggering one of the "did not compile quite 100% correctly" rules, and that rule is clobbering Suricata.  When I say "not quite 100% correctly", I mean it did not compile correctly but also did not print an error in the log.

    Bill

    I can try disabling the snort rules, however, it's important to note that it only stops like this if I run it on my LAN interface.  If I have it running on WAN, that doesn't happen.

    EDIT, left out the important part of that.
    Why that's interesting is it means it needs to be traffic between wired and wireless devices as that would be the only traffic pfsense would see on LAN (a bridge of those two ports) that doesn't ALSO happen on WAN.

    When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them?  If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not.  Perhaps some other users can chime in here with their experience…

    Bill



  • @bmeeks:

    When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them?  If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not.  Perhaps some other users can chime in here with their experience…

    Bill

    The Lan interface is a bridge of ports em0 and em1.
    em0 goes to a switch
    em1 goes to an access point



  • @Trel:

    @bmeeks:

    When you say "bridge of those two ports" do you mean a literal bridge, or a figurative one where the Wired and Wireless LANs each have their own subnet and the firewall is routing between them?  If you mean a literal bridge, then I have not tested Suricata in that configuration and can't say if it works correctly or not.  Perhaps some other users can chime in here with their experience…

    Bill

    The Lan interface is a bridge of ports em0 and em1.
    em0 goes to a switch
    em1 goes to an access point

    Well, it could very well be the bridge configuration that is tripping up Suricata.  Do you have "block offenders" enabled or not?  If you do, try turning it off to see if that helps.  That will eliminate some of the Suricata code.  Please report back with the results as it can help me troubleshoot.

    Bill



  • It crashed a few times on my guest wifi network.

    
    3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
    3/8/2014 -- 14:37:18 - <info> -- preallocated 65535 defrag trackers of size 88
    3/8/2014 -- 14:37:18 - <info> -- defrag memory usage: 6553512 bytes, maximum: 33554432
    3/8/2014 -- 14:37:18 - <info> -- AutoFP mode using "Active Packets" flow load balancer
    3/8/2014 -- 14:37:18 - <info> -- preallocated 1024 packets. Total memory 3135488
    3/8/2014 -- 14:37:18 - <info> -- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12
    3/8/2014 -- 14:37:18 - <info> -- preallocated 1000 hosts of size 60
    3/8/2014 -- 14:37:18 - <info> -- host memory usage: 109152 bytes, maximum: 16777216
    3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12
    3/8/2014 -- 14:37:18 - <info> -- preallocated 10000 flows of size 144
    3/8/2014 -- 14:37:18 - <info> -- flow memory usage: 2226432 bytes, maximum: 33554432
    3/8/2014 -- 14:37:18 - <info> -- IP reputation disabled
    3/8/2014 -- 14:37:18 - <info> -- Added "35" classification types from the classification file
    3/8/2014 -- 14:37:18 - <info> -- Added "19" reference types from the reference.config file
    3/8/2014 -- 14:37:18 - <info> -- using magic-file /usr/share/misc/magic
    3/8/2014 -- 14:37:18 - <info> -- Delayed detect disabled
    3/8/2014 -- 14:37:45 - <info> -- 2 rule files processed. 14865 rules successfully loaded, 0 rules failed
    3/8/2014 -- 14:38:47 - <info> -- 14873 signatures processed. 891 are IP-only rules, 4227 are inspecting packet payload, 11353 inspect application layer, 0 are decoder event only
    3/8/2014 -- 14:38:47 - <info> -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    3/8/2014 -- 14:38:52 - <info> -- building signature grouping structure, stage 2: building source address list... complete
    3/8/2014 -- 14:39:46 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
    3/8/2014 -- 14:40:03 - <info> -- Threshold config parsed: 0 rule(s) found
    3/8/2014 -- 14:40:03 - <info> -- Core dump size is unlimited.
    3/8/2014 -- 14:40:03 - <info> -- fast output device (regular) initialized: alerts.log
    3/8/2014 -- 14:40:03 - <info> -- http-log output device (regular) initialized: http.log
    3/8/2014 -- 14:40:03 - <info> -- Using 1 live device(s).
    3/8/2014 -- 14:40:04 - <info> -- using interface ath0_wlan1
    3/8/2014 -- 14:40:04 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    3/8/2014 -- 14:40:04 - <info> -- Found an MTU of 1500 for 'ath0_wlan1'
    3/8/2014 -- 14:40:04 - <info> -- Set snaplen to 1500 for 'ath0_wlan1'
    3/8/2014 -- 14:40:04 - <info> -- RunModeIdsPcapAutoFp initialised
    3/8/2014 -- 14:40:04 - <info> -- stream "max-sessions": 262144
    3/8/2014 -- 14:40:04 - <info> -- stream "prealloc-sessions": 32768
    3/8/2014 -- 14:40:04 - <info> -- stream "memcap": 33554432
    3/8/2014 -- 14:40:04 - <info> -- stream "midstream" session pickups: disabled
    3/8/2014 -- 14:40:04 - <info> -- stream "async-oneside": disabled
    3/8/2014 -- 14:40:04 - <info> -- stream "checksum-validation": disabled
    3/8/2014 -- 14:40:04 - <info> -- stream."inline": disabled
    3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "memcap": 67108864
    3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "depth": 0
    3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toserver-chunk-size": 2560
    3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toclient-chunk-size": 2560
    3/8/2014 -- 14:40:04 - <info> -- all 2 packet processing threads, 1 management threads initialized, engine started.
    3/8/2014 -- 14:40:04 - <info> -- Signal Received.  Stopping engine.
    3/8/2014 -- 14:40:04 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
    3/8/2014 -- 14:40:04 - <info> -- time elapsed 0.261s
    3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Packets 0, bytes 0
    3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Pcap Total:0 Recv:0 Drop:0 (nan%).
    3/8/2014 -- 14:40:04 - <info> -- AutoFP - Total flow handler queues - 1
    3/8/2014 -- 14:40:04 - <info> -- AutoFP - Queue 0  - pkts: 0            flows: 0           
    3/8/2014 -- 14:40:04 - <info> -- Stream TCP processed 0 TCP packets
    3/8/2014 -- 14:40:04 - <info> -- Fast log output wrote 0 alerts
    3/8/2014 -- 14:40:04 - <info> -- HTTP logger logged 0 requests
    3/8/2014 -- 14:40:04 - <info> -- host memory usage: 109152 bytes, maximum: 16777216
    3/8/2014 -- 14:40:05 - <info> -- cleaning up signature grouping structure... complete
    3/8/2014 -- 14:40:06 - <error> -- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>
    

    That's a wifi interface off Pfsense