Current Bugs in Suricata 1.4.6 package – help me make sure I have them listed



  • Guys:

    I need help from all the active users of the Suricata package on pfSense.  I am working now on updating the package to use the new 2.0.2 version of the binary.  To be sure I capture and fix all the currently known bugs in the 1.4.6 package, I wanted to start this thread listing only known current Suricata bugs.

    REMEMBER:  please list only bugs you have found.  Put requests for feature changes or new features in a separate thread.  This thread needs to stay focused on known bugs so I can be sure and address them in the upcoming update.

    Just so you are aware, these are the major feature changes that are coming in Suricata 2.0.2:  (1) addition of CARP Sync feature like Snort has; (2) revert back to the old behavior for icons when force enabling or disabling a rule on the RULES tab; (3) allow altering of the syslog facility used for Suricata log messages; and (4) add new variables for FTP_SERVERS and SSH_SERVERS to GUI.  In addition, there some new features within the 2.0.2 binary itself around DNS request inspection/detection.

    Known Bugs:

    I will start with the list I currently have that I produced by looking through past posts here in the forum.

    1.  The phrase "sid-msg.map" is misspelled as "sig-msg.map" in some log messages.

    2.  On the LOGS MGMT tab, when choosing NO LIMIT for max log sizes or KEEP ALL for retention periods, the change is not saved and the setting reverts back to the default values.

    3.  The cron task for rotating log files reports an error about a missing file when a log file is not actually present because it has not been enabled.  The cron task should check first to see if the log file is present before attempting to check for rotation.

    4.  On the BLOCKED and ALERTS tabs, certain events may trigger an error similar to: "Warning: inet_pton(): Unrecognized address…".  This also results in garbled formatting for the tab display.

    5.  IPv6 Link-Local addresses are not correctly parsed and added to the HOME_NET variable and to the default pass list.  The interface is left appended to the end of the address, and this causes Suricata to throw an error and not parse the HOME_NET variable.

    6.  Pass Lists created on the PASS LIST tab are not available in the drop-down for HOME NET selection on the INTERFACE tab for a Suricata instance.

    7.  Suricata decoder events are not logged in the ALERTS tab of the GUI.

    8.  The cron task for clearing blocked hosts sends an error e-mail when there are no hosts currently being blocked.  Need to add the "-q" option to the pfctl command line.

    9.  After recent changes at the snort.org web site, Snort VRT rules no longer download in Suricata because the VRT eliminated the snortrules-snapshot-edge.tar.gz file the Suricata package uses.

    If I missed listing a bug you know about, please reply to this thread.

    Thanks,
    Bill



  • Thank you for your hard work.

    Question on #9, I have no problem downloading the Snort VRT rules manually, is their a way to manually update Suricata? LOL, I tried to move them to a local web server and change the settings in *.inc and *.php files and it still failed.. LOL.

    9.  After recent changes at the snort.org web site, Snort VRT rules no longer download in Suricata because the VRT eliminated the snortrules-snapshot-edge.tar.gz file the Suricata package uses.



  • Somehow the interface name in the widget is not always correct. The name is ok on the alert-tab.
    Same goes for the Snort widget.

    e.g. WAN2 is displayed as OPT2 even when OPT2 doesn't exist.



  • I'm getting a lot of instances of duplicate processes after an automatic restart. This is usually happening either during a rules update or my dydns refreshing. I was running Suricata on both lan and wan and the duplicate would only happen on one interface and the other would crash. Here is the system log from the last time it happened.

    Aug  4 10:03:12 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:12 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:12 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:12 pfsense check_reload_status: Reloading filter
    Aug  4 10:03:12 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:12 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:12 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:12 pfsense check_reload_status: Reloading filter
    Aug  4 10:03:15 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:15 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:15 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:15 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:16 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:16 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:16 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:18 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:18 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:18 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:18 pfsense check_reload_status: Starting packages
    Aug  4 10:03:21 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:21 pfsense php: rc.start_packages: The command '/usr/pbi/unbound-amd64/sbin/unbound-control dump_cache > /var/tmp/unbound_cache' returned exit code '1', the output was '' 
    Aug  4 10:03:23 pfsense php: config.inc: The command '/usr/pbi/unbound-amd64/sbin/unbound-control dump_cache > /var/tmp/unbound_cache' returned exit code '1', the output was '' 
    Aug  4 10:03:24 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:24 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:25 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:25 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:25 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:25 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:25 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:25 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:28 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:28 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:28 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:29 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:29 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:31 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:31 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:31 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:31 pfsense check_reload_status: Starting packages
    Aug  4 10:03:32 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:32 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:32 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:32 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:34 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:34 pfsense php: rc.start_packages: The command '/usr/pbi/unbound-amd64/sbin/unbound-control dump_cache > /var/tmp/unbound_cache' returned exit code '1', the output was '' 
    Aug  4 10:03:34 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:36 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:36 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:36 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:38 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:38 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:38 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:38 pfsense check_reload_status: Starting packages
    Aug  4 10:03:40 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:40 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:40 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '' 
    Aug  4 10:03:41 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:42 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:42 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:43 pfsense squid[80578]: Squid Parent: will start 1 kids
    Aug  4 10:03:43 pfsense squid[80578]: Squid Parent: (squid-1) process 80812 started
    Aug  4 10:03:43 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:43 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:43 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:43 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:43 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:43 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:45 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:45 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:45 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found' 
    Aug  4 10:03:45 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found' 
    Aug  4 10:03:45 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:45 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:45 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:45 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:46 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:46 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:46 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:47 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:03:47 pfsense kernel: pid 648 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:03:49 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:49 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:49 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:50 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:50 pfsense kernel: pid 25255 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:55 pfsense squid[80578]: Squid Parent: (squid-1) process 80812 exited with status 0
    Aug  4 10:03:58 pfsense squid[44697]: Squid Parent: will start 1 kids
    Aug  4 10:03:58 pfsense squid[44697]: Squid Parent: (squid-1) process 45148 started
    Aug  4 10:04:00 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found' 
    Aug  4 10:04:00 pfsense php: servicewatchdog_cron.php: Service Watchdog detected service ntpd stopped. Restarting ntpd (NTP clock sync)
    Aug  4 10:04:00 pfsense php: servicewatchdog_cron.php: NTPD is starting up.
    Aug  4 10:04:02 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:04:02 pfsense kernel: pid 50397 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:04:04 pfsense check_reload_status: Syncing firewall
    Aug  4 10:04:05 pfsense check_reload_status: Syncing firewall
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:05 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:06 pfsense kernel: pid 54583 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:04:07 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/cron.sh stop' returned exit code '1', the output was '' 
    Aug  4 10:04:08 pfsense SuricataStartup[63688]: Suricata STOP for WAN(54710_em1)...
    Aug  4 10:04:08 pfsense kernel: em1: promiscuous mode disabled
    Aug  4 10:04:13 pfsense SuricataStartup[69652]: Suricata START for WAN(54710_em1)...
    Aug  4 10:04:21 pfsense kernel: em1: promiscuous mode enabled
    Aug  4 10:04:23 pfsense SuricataStartup[81165]: Suricata STOP for WAN(54710_em1)...
    Aug  4 10:04:24 pfsense kernel: em1: promiscuous mode disabled
    Aug  4 10:04:28 pfsense SuricataStartup[88728]: Suricata START for WAN(54710_em1)...
    Aug  4 10:04:35 pfsense ladvd: only -1 bytes written: Connection reset by peer
    Aug  4 10:04:37 pfsense kernel: em1: promiscuous mode enabled
    

    Here is the Suricata log but I don't see anything useful in it.

    4/8/2014 -- 10:04:28 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    4/8/2014 -- 10:04:29 - <info>-- preallocated 65535 defrag trackers of size 120
    4/8/2014 -- 10:04:29 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
    4/8/2014 -- 10:04:29 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    4/8/2014 -- 10:04:29 - <info>-- preallocated 1024 packets. Total memory 4294656
    4/8/2014 -- 10:04:29 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
    4/8/2014 -- 10:04:29 - <info>-- preallocated 1000 hosts of size 96
    4/8/2014 -- 10:04:29 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
    4/8/2014 -- 10:04:29 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
    4/8/2014 -- 10:04:29 - <info>-- preallocated 10000 flows of size 224
    4/8/2014 -- 10:04:29 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
    4/8/2014 -- 10:04:29 - <info>-- IP reputation disabled
    4/8/2014 -- 10:04:29 - <info>-- Added "35" classification types from the classification file
    4/8/2014 -- 10:04:29 - <info>-- Added "19" reference types from the reference.config file
    4/8/2014 -- 10:04:29 - <info>-- using magic-file /usr/share/misc/magic
    4/8/2014 -- 10:04:29 - <info>-- Delayed detect disabled
    4/8/2014 -- 10:04:32 - <info>-- 2 rule files processed. 3752 rules successfully loaded, 0 rules failed
    4/8/2014 -- 10:04:34 - <info>-- 3752 signatures processed. 296 are IP-only rules, 923 are inspecting packet payload, 2866 inspect application layer, 0 are decoder event only
    4/8/2014 -- 10:04:34 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    4/8/2014 -- 10:04:34 - <info>-- building signature grouping structure, stage 2: building source address list... complete
    4/8/2014 -- 10:04:36 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
    4/8/2014 -- 10:04:37 - <info>-- Threshold config parsed: 2 rule(s) found
    4/8/2014 -- 10:04:37 - <info>-- Core dump size is unlimited.
    4/8/2014 -- 10:04:37 - <info>-- alert-pf output device (regular) initialized: block.log
    4/8/2014 -- 10:04:37 - <info>-- Invalid IP(2XXX:a000:eb00:1700::/60) parameter provided in Pass List, skipping...
    4/8/2014 -- 10:04:37 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_54710_em1/passlist parsed: 11 IP addresses loaded.
    4/8/2014 -- 10:04:37 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
    4/8/2014 -- 10:04:37 - <info>-- fast output device (regular) initialized: alerts.log
    4/8/2014 -- 10:04:37 - <info>-- http-log output device (regular) initialized: http.log
    4/8/2014 -- 10:04:37 - <info>-- Using 1 live device(s).
    4/8/2014 -- 10:04:37 - <info>-- using interface em1
    4/8/2014 -- 10:04:37 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    4/8/2014 -- 10:04:37 - <info>-- Found an MTU of 1500 for 'em1'
    4/8/2014 -- 10:04:37 - <info>-- Set snaplen to 1500 for 'em1'
    4/8/2014 -- 10:04:37 - <info>-- RunModeIdsPcapAutoFp initialised
    4/8/2014 -- 10:04:37 - <info>-- stream "max-sessions": 262144
    4/8/2014 -- 10:04:37 - <info>-- stream "prealloc-sessions": 32768
    4/8/2014 -- 10:04:37 - <info>-- stream "memcap": 33554432
    4/8/2014 -- 10:04:37 - <info>-- stream "midstream" session pickups: disabled
    4/8/2014 -- 10:04:37 - <info>-- stream "async-oneside": disabled
    4/8/2014 -- 10:04:37 - <info>-- stream "checksum-validation": disabled
    4/8/2014 -- 10:04:37 - <info>-- stream."inline": disabled
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "memcap": 67108864
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "depth": 0
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "toserver-chunk-size": 2560
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "toclient-chunk-size": 2560
    4/8/2014 -- 10:04:37 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
    4/8/2014 -- 10:05:16 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
    

    I'm running 2.1.4-RELEASE (amd64). I've uninstalled the package, ran a find / -name "suricata*", deleted everything remaining, and then reinstalled to no avail. I haven't had a chance to try on a fresh system yet and won't for a few weeks so I can't be sure this isn't related to something broken on my install but I thought I'd mention it here.



  • @digdug3:

    Somehow the interface name in the widget is not always correct. The name is ok on the alert-tab.
    Same goes for the Snort widget.

    e.g. WAN2 is displayed as OPT2 even when OPT2 doesn't exist.

    I'll fix this.  I know what the problem is.  Thanks for reporting it.

    Bill



  • @wcrowder:

    Thank you for your hard work.

    Question on #9, I have no problem downloading the Snort VRT rules manually, is their a way to manually update Suricata? LOL, I tried to move them to a local web server and change the settings in *.inc and *.php files and it still failed.. LOL.

    You can workaround this by editing only these two lines in these two files:

    In /usr/local/pkg/suricata/suricata.inc change this line on line #78 –

    
    define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');
    
    

    to look like this instead –

    
    define('VRT_DNLD_FILENAME', 'snortrules-snapshot-2962.tar.gz');
    
    

    And in /usr/local/pkg/suricata/suricata_check_for_rule_updates.php change this line #59 –

    
    if (!defined("VRT_DNLD_FILENAME"))
    	define("VRT_DNLD_FILENAME", "snortrules-snapshot-edge.tar.gz");
    
    

    to look like this –

    
    if (!defined("VRT_DNLD_FILENAME"))
    	define("VRT_DNLD_FILENAME", "snortrules-snapshot-2962.tar.gz");
    
    

    DO NOT CHANGE THE URL TAGS!

    These changes should enable the rules to download again.  If not, post back and give me any errors.

    Bill



  • @DigitalDeviant:

    I'm getting a lot of instances of duplicate processes after an automatic restart. This is usually happening either during a rules update or my dydns refreshing. I was running Suricata on both lan and wan and the duplicate would only happen on one interface and the other would crash. Here is the system log from the last time it happened.

    Aug  4 10:03:12 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:12 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:12 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:12 pfsense check_reload_status: Reloading filter
    Aug  4 10:03:12 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:12 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:12 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:12 pfsense check_reload_status: Reloading filter
    Aug  4 10:03:15 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:15 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:15 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:15 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:16 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:16 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:16 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:18 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:18 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:18 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:18 pfsense check_reload_status: Starting packages
    Aug  4 10:03:21 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:21 pfsense php: rc.start_packages: The command '/usr/pbi/unbound-amd64/sbin/unbound-control dump_cache > /var/tmp/unbound_cache' returned exit code '1', the output was '' 
    Aug  4 10:03:23 pfsense php: config.inc: The command '/usr/pbi/unbound-amd64/sbin/unbound-control dump_cache > /var/tmp/unbound_cache' returned exit code '1', the output was '' 
    Aug  4 10:03:24 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:24 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:25 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:25 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:25 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:25 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:25 pfsense check_reload_status: Restarting ipsec tunnels
    Aug  4 10:03:25 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:28 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:28 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:28 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:28 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:29 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:29 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:31 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:31 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:31 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:31 pfsense check_reload_status: Starting packages
    Aug  4 10:03:32 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:32 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:32 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:32 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:34 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:34 pfsense php: rc.start_packages: The command '/usr/pbi/unbound-amd64/sbin/unbound-control dump_cache > /var/tmp/unbound_cache' returned exit code '1', the output was '' 
    Aug  4 10:03:34 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:35 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:36 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:36 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:36 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:38 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:38 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:38 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:38 pfsense check_reload_status: Starting packages
    Aug  4 10:03:40 pfsense check_reload_status: updating dyndns WAN_DHCP
    Aug  4 10:03:40 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:40 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '' 
    Aug  4 10:03:41 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:42 pfsense check_reload_status: updating dyndns WAN_DHCP6
    Aug  4 10:03:42 pfsense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Aug  4 10:03:43 pfsense squid[80578]: Squid Parent: will start 1 kids
    Aug  4 10:03:43 pfsense squid[80578]: Squid Parent: (squid-1) process 80812 started
    Aug  4 10:03:43 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Aug  4 10:03:43 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:43 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:43 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:43 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:43 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:45 pfsense php: rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
    Aug  4 10:03:45 pfsense php: rc.openvpn: OpenVPN: Resync server1 OpenVPN - Justin
    Aug  4 10:03:45 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found' 
    Aug  4 10:03:45 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found' 
    Aug  4 10:03:45 pfsense php: rc.dyndns.update: Curl error occurred: Could not resolve host: 
    Aug  4 10:03:45 pfsense kernel: ovpns1: link state changed to DOWN
    Aug  4 10:03:45 pfsense kernel: ovpns1: link state changed to UP
    Aug  4 10:03:45 pfsense check_reload_status: rc.newwanip starting ovpns1
    Aug  4 10:03:46 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:46 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:46 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:47 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:03:47 pfsense kernel: pid 648 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:03:49 pfsense php: rc.newwanip: rc.newwanip: Informational is starting ovpns1.
    Aug  4 10:03:49 pfsense php: rc.newwanip: rc.newwanip: on (IP address: 10.0.0.1) (interface: []) (real interface: ovpns1).
    Aug  4 10:03:49 pfsense php: rc.newwanip: pfSense package system has detected an ip change  ->  10.0.0.1 ... Restarting packages.
    Aug  4 10:03:50 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:03:50 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:50 pfsense kernel: pid 25255 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: [Squid] - Squid_resync function call pr:1 bp:1 rpc:no
    Aug  4 10:03:51 pfsense php: rc.start_packages: Restarting/Starting all packages.
    Aug  4 10:03:55 pfsense squid[80578]: Squid Parent: (squid-1) process 80812 exited with status 0
    Aug  4 10:03:58 pfsense squid[44697]: Squid Parent: will start 1 kids
    Aug  4 10:03:58 pfsense squid[44697]: Squid Parent: (squid-1) process 45148 started
    Aug  4 10:04:00 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found' 
    Aug  4 10:04:00 pfsense php: servicewatchdog_cron.php: Service Watchdog detected service ntpd stopped. Restarting ntpd (NTP clock sync)
    Aug  4 10:04:00 pfsense php: servicewatchdog_cron.php: NTPD is starting up.
    Aug  4 10:04:02 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:04:02 pfsense kernel: pid 50397 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:04:04 pfsense check_reload_status: Syncing firewall
    Aug  4 10:04:05 pfsense check_reload_status: Syncing firewall
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:05 pfsense ladvd: ladvd 1.0.4 running
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:05 pfsense php: rc.start_packages: No pfBlocker action during boot process.
    Aug  4 10:04:06 pfsense kernel: pid 54583 (ladvd), uid 0: exited on signal 6 (core dumped)
    Aug  4 10:04:07 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/cron.sh stop' returned exit code '1', the output was '' 
    Aug  4 10:04:08 pfsense SuricataStartup[63688]: Suricata STOP for WAN(54710_em1)...
    Aug  4 10:04:08 pfsense kernel: em1: promiscuous mode disabled
    Aug  4 10:04:13 pfsense SuricataStartup[69652]: Suricata START for WAN(54710_em1)...
    Aug  4 10:04:21 pfsense kernel: em1: promiscuous mode enabled
    Aug  4 10:04:23 pfsense SuricataStartup[81165]: Suricata STOP for WAN(54710_em1)...
    Aug  4 10:04:24 pfsense kernel: em1: promiscuous mode disabled
    Aug  4 10:04:28 pfsense SuricataStartup[88728]: Suricata START for WAN(54710_em1)...
    Aug  4 10:04:35 pfsense ladvd: only -1 bytes written: Connection reset by peer
    Aug  4 10:04:37 pfsense kernel: em1: promiscuous mode enabled
    

    Here is the Suricata log but I don't see anything useful in it.

    4/8/2014 -- 10:04:28 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    4/8/2014 -- 10:04:29 - <info>-- preallocated 65535 defrag trackers of size 120
    4/8/2014 -- 10:04:29 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
    4/8/2014 -- 10:04:29 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    4/8/2014 -- 10:04:29 - <info>-- preallocated 1024 packets. Total memory 4294656
    4/8/2014 -- 10:04:29 - <info>-- allocated 98304 bytes of memory for the host hash... 4096 buckets of size 24
    4/8/2014 -- 10:04:29 - <info>-- preallocated 1000 hosts of size 96
    4/8/2014 -- 10:04:29 - <info>-- host memory usage: 194304 bytes, maximum: 16777216
    4/8/2014 -- 10:04:29 - <info>-- allocated 1572864 bytes of memory for the flow hash... 65536 buckets of size 24
    4/8/2014 -- 10:04:29 - <info>-- preallocated 10000 flows of size 224
    4/8/2014 -- 10:04:29 - <info>-- flow memory usage: 3812864 bytes, maximum: 33554432
    4/8/2014 -- 10:04:29 - <info>-- IP reputation disabled
    4/8/2014 -- 10:04:29 - <info>-- Added "35" classification types from the classification file
    4/8/2014 -- 10:04:29 - <info>-- Added "19" reference types from the reference.config file
    4/8/2014 -- 10:04:29 - <info>-- using magic-file /usr/share/misc/magic
    4/8/2014 -- 10:04:29 - <info>-- Delayed detect disabled
    4/8/2014 -- 10:04:32 - <info>-- 2 rule files processed. 3752 rules successfully loaded, 0 rules failed
    4/8/2014 -- 10:04:34 - <info>-- 3752 signatures processed. 296 are IP-only rules, 923 are inspecting packet payload, 2866 inspect application layer, 0 are decoder event only
    4/8/2014 -- 10:04:34 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    4/8/2014 -- 10:04:34 - <info>-- building signature grouping structure, stage 2: building source address list... complete
    4/8/2014 -- 10:04:36 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
    4/8/2014 -- 10:04:37 - <info>-- Threshold config parsed: 2 rule(s) found
    4/8/2014 -- 10:04:37 - <info>-- Core dump size is unlimited.
    4/8/2014 -- 10:04:37 - <info>-- alert-pf output device (regular) initialized: block.log
    4/8/2014 -- 10:04:37 - <info>-- Invalid IP(2XXX:a000:eb00:1700::/60) parameter provided in Pass List, skipping...
    4/8/2014 -- 10:04:37 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_54710_em1/passlist parsed: 11 IP addresses loaded.
    4/8/2014 -- 10:04:37 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on
    4/8/2014 -- 10:04:37 - <info>-- fast output device (regular) initialized: alerts.log
    4/8/2014 -- 10:04:37 - <info>-- http-log output device (regular) initialized: http.log
    4/8/2014 -- 10:04:37 - <info>-- Using 1 live device(s).
    4/8/2014 -- 10:04:37 - <info>-- using interface em1
    4/8/2014 -- 10:04:37 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    4/8/2014 -- 10:04:37 - <info>-- Found an MTU of 1500 for 'em1'
    4/8/2014 -- 10:04:37 - <info>-- Set snaplen to 1500 for 'em1'
    4/8/2014 -- 10:04:37 - <info>-- RunModeIdsPcapAutoFp initialised
    4/8/2014 -- 10:04:37 - <info>-- stream "max-sessions": 262144
    4/8/2014 -- 10:04:37 - <info>-- stream "prealloc-sessions": 32768
    4/8/2014 -- 10:04:37 - <info>-- stream "memcap": 33554432
    4/8/2014 -- 10:04:37 - <info>-- stream "midstream" session pickups: disabled
    4/8/2014 -- 10:04:37 - <info>-- stream "async-oneside": disabled
    4/8/2014 -- 10:04:37 - <info>-- stream "checksum-validation": disabled
    4/8/2014 -- 10:04:37 - <info>-- stream."inline": disabled
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "memcap": 67108864
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "depth": 0
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "toserver-chunk-size": 2560
    4/8/2014 -- 10:04:37 - <info>-- stream.reassembly "toclient-chunk-size": 2560
    4/8/2014 -- 10:04:37 - <info>-- all 7 packet processing threads, 1 management threads initialized, engine started.
    4/8/2014 -- 10:05:16 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> 
    

    I'm running 2.1.4-RELEASE (amd64). I've uninstalled the package, ran a find / -name "suricata*", deleted everything remaining, and then reinstalled to no avail. I haven't had a chance to try on a fresh system yet and won't for a few weeks so I can't be sure this isn't related to something broken on my install but I thought I'd mention it here.

    I found a bug related to a double-backslash in the code that generates the shell script which starts/stops Suricata.  I believe this bug could be contributing to the double-start issue.

    Bill



  • Thank you that worked! I did this earlier, my mistake is i CHANGED the URL… :)

    The directory for the second file is wrong in your post. It's:

    /usr/local/www/suricata/suricata_check_for_rule_updates.php

    Thanks again for your hard work.



  • When choosing to log to system log and ultimately sending out to remote syslog, the process ends up as garabage sometimes.

    See example in pFsense log files:

    M-^AM-^AVë^R:d[73902]: [1:2008974:9] ET MALWARE User-Agent (Mozilla/4.0 (compatible)) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.10.157:55057 -> 216.115.208.199:80
    


  • @GoldServe:

    When choosing to log to system log and ultimately sending out to remote syslog, the process ends up as garabage sometimes.

    See example in pFsense log files:

    M-^AM-^AVë^R:d[73902]: [1:2008974:9] ET MALWARE User-Agent (Mozilla/4.0 (compatible)) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.10.157:55057 -> 216.115.208.199:80
    

    That could be a bug (hopefully a fixed one in the current stable release) in the Suricata binary itself.  Nothing in the GUI package alters the syslog output content.  That comes straight from the binary.  The current pfSense package uses version 1.4.6 of Suricata.  I am almost ready to release an update based on the current 2.0.2-RELEASE version.

    Some research on the Suricata site for all the bug fixes incorporated during the progression from 1.4.6 to 1.4.7 to 2.0 to 2.0.1 and finally 2.0.2 will be needed to see if this bug got identified and fixed.  I will do a quick review as part of what the update I'm working on.

    Bill



  • @wcrowder:

    The directory for the second file is wrong in your post. It's:

    /usr/local/www/suricata/suricata_check_for_rule_updates.php

    Thanks again for your hard work.

    Yep.  My bad.  I gave what will be the "new path" in the upcoming update.  I'm moving some of the configuration update files that don't have a GUI login interface to a non-public directory in the web folder structure.

    @wcrowder:

    Thank you that worked! I did this earlier, my mistake is i CHANGED the URL… :)

    Yeah, a day or two after the snort.org web site update, they put back a workaround that lets the old URLs continue to work for a year.  If you change the URL, you also have to change the code to generate and use a HTML query string to pass the oinkcode instead of including it as part of the URL path.

    Thanks for posting the correction…all of this is fixed properly in the upcoming Suricata update.

    Bill



  • Zombie "ET POLICY PE EXE or DLL Windows file download " (2000419) is back.

    Rule is disabled on the ET policy tab. BUT rule is enabled on the auto-flow bit tab, which makes me think something is depending on it and it gets enabled automatically. Thankfully the rule didn't fire on akamai causing the dreaded "THE INTERNET IS DOWN!" calls (and my " It's because the holocaust is here!" response). Nope, because nobody would be stupid enough to create a rule that fires up when updating the same OS it's designed to protect. Right?

    Makes me think the ET rules are no longer maintained sometimes. That or greed got to them since most of their updates are for the PRO rules. They have to remove 40 rules from the free rules, and I've been screaming my head of at them for the past couple of years to do it. Seems they are one of the "WTF? ARE YOU TELLING ME HOW TO DO MY JOB?!?!?" type.

    Enough of my off topic  ;D

    I remember the same thing was happening with the snort packages, and we ended up recommending a suppress rule for it. Maybe whatever depends on it must be forced to be disabled instead.


  • Moderator

    @jflsakfja:

    I remember the same thing was happening with the snort packages, and we ended up recommending a suppress rule for it. Maybe whatever depends on it must be forced to be disabled instead.

    I took a look at my Snort Setup and I have that Rule Disabled and there are no Suppressions listed in my WAN Suppress List.

    It doesn't look like there have been any changes to that rule since 08/19/2013
    http://doc.emergingthreats.net/bin/view/Main/2000419

    Maybe something else is causing this issue?



  • All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p



  • @jflsakfja:

    All I know is that the rule was manually disabled (pale red) and haven't had an alert from that rule for quite a while. I ran an update a couple of days ago to a win vm and the rule started alerting. Scratched my head a bit when I looked it up and it was disabled, but then had the "lamp" moment, and looked at the auto-flow rules, where it was enabled. Something clearly auto enabled it, and it wasn't me :p

    The auto-flowbit logic runs through all the enabled rules looking for flowbit "isset" keywords.  It then creates an array of required flowbits.  Next, it looks at that list of required flowbits and finds all the rules that "set" those flowbits and enables them.  Well, it actually just puts them in the separate auto-flowbits rules file.  That file is loaded along with the main rules file when Suricata (or Snort) starts.  So it in effect gets 'enabled' by getting included in the separate auto-flowbits rules file.

    Could be that an update somewhere tinkered with a flowbit dependency in one of the rules.

    Bill



  • Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

    I know, I know, I need a life...  ;D



  • Hang in there, it's coming don't worry. Give bmeeks time to get it ready, and you'll not regret it.

    Happens to me too. Everyday I check for updates to debian jessie, even though I know it's coming april-may next year. It's caused by being completely satisfied with a software you use ;D



  • @wcrowder:

    Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

    I know, I know, I need a life...  ;D

    I'm working on it feverishly and am almost done.  I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs.  The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it.  Just give me a little more time to get it done.

    Here are new features coming in the package –

    1. ALERT tab view filtering so you can view only alerts matching specified criteria
    2. Support for CARP Sync of master to slaves
    3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
    4. Support for Suricata IP Reputation Lists (this is not yet started, though)
    5. Support for new EVE JSON logging output option for Suricata 2.0.x
    6. Support for new DNS event logging output option for Suricata 2.0.x
    7. Support for all the new application layer parsers in Suricata 2.0.x
    8. Ability to specify syslog facility for Suricata output to either the local or remote syslog

    The above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads.  Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started.  My target is to finish, test and then post the Pull Request towards the end of this upcoming week.  If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.

    Bill



  • Great! Please take your time! And I agree, if #4 takes to much time it can wait for the next release.



  • @bmeeks:

    @wcrowder:

    Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

    I know, I know, I need a life...  ;D

    I'm working on it feverishly and am almost done.  I decided to add several new features in addition to upgrading the binary to 2.0.3 and fixing the known bugs.  The binary PBI packages for 2.0.3 are already built and ready for the new GUI code when I submit it.  Just give me a little more time to get it done.

    Here are new features coming in the package –

    1. ALERT tab view filtering so you can view only alerts matching specified criteria
    2. Support for CARP Sync of master to slaves
    3. Support for enablesid.conf, disablesid.conf and modifysid.conf files like PulledPork and Oinkmaster use
    4. Support for Suricata IP Reputation Lists (this is not yet started, though)
    5. Support for new EVE JSON logging output option for Suricata 2.0.x
    6. Support for new DNS event logging output option for Suricata 2.0.x
    7. Support for all the new application layer parsers in Suricata 2.0.x
    8. Ability to specify syslog facility for Suricata output to either the local or remote syslog

    The above is in addition to the other bug fixes and reverting the icon behavior of the enable/disable rule icons talked about in other threads.  Everything listed above is complete except for #3 which is 60% done, and #4 which is not yet started.  My target is to finish, test and then post the Pull Request towards the end of this upcoming week.  If meeting my deadline looks iffy, I will drop #4 from the list above and include it later.

    Bill

    Fantastic!  Thank you for everything. I Like this much better than the Snort package.



  • Hi bmeeks,

    First of all thank you for developing Suricata package.

    I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General

    suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
    

    Not sure if this is a known issue. Please let me know you require more information.



  • @RedAntz:

    Hi bmeeks,

    First of all thank you for developing Suricata package.

    I notice that my fresh install of pfSense 2.4 with suricata 1.4.6 pkg v1.0.6 has error in Status: System logs: General

    suricata[16957]: 23/8/2014 -- 12:49:09 - <error> -- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap</error>
    

    Not sure if this is a known issue. Please let me know you require more information.

    Do you have a PPPoE type interface on your WAN?  If so, those are not well supported by Suricata (at least not the older 1.4.6 version).  Several folks have reported issues with PPPoE and the Suricata package.

    Bill



  • @bmeeks:

    Do you have a PPPoE type interface on your WAN?  If so, those are not well supported by Suricata (at least not the older 1.4.6 version).  Several folks have reported issues with PPPoE and the Suricata package.

    Bill

    Hi Bill,

    Yes. PPPoE on my WAN interface.



  • @wcrowder:

    Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

    I know, I know, I need a life...  ;D

    Final testing is almost completed.  I posted a preview thread showing some screenshots of the new features coming in the updated package.  Here is a link to the thread: https://forum.pfsense.org/index.php?topic=80886.0

    Bill