Same error with Snort and Suricata



  • Hi guys

    I'm trying to implement an IDS/IPS system on my pfsense box. For me  it's doesn't matter if I use Snort or Suricata in the future.
    I started first with snort and because snort wasn't working I tried suricata. I have seen that both packages gave me back the same error.

    If I start snort or suricata (interface only or trough status –> service) the services doesn't start. (nothing happen, red cross stays there)

    Following error if I try to start Suricata via shell:

    [2.1.4-RELEASE][root@XXX-pfs-1.XXX.local]/root(13): /bin/sh /usr/local/etc/rc.d/suricata.sh start
    7/8/2014 – 16:22:27 - <info>- This is Suricata version 1.4.6 RELEASE
    7/8/2014 -- 16:22:27 - <info>- CPUs/cores online: 2
    7/8/2014 -- 16:22:27 - <info>- Live rule reloads enabled
    7/8/2014 -- 16:22:27 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    7/8/2014 -- 16:22:27 - <info>-- preallocated 65535 defrag trackers of size 120
    7/8/2014 -- 16:22:27 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
    7/8/2014 -- 16:22:27 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    7/8/2014 -- 16:22:27 - <error>-- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "fe80::250:56ff:fe9e:43df%em0"
    7/8/2014 – 16:22:27 - <error>-- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[8.8.8.8,10.0.0.0/24,10.0.0.252/24,10.0.2.0/24,10.0.2.252/24,10.0.3.0/24,10.0.3.252/24,10.0.4.0/24,10.0.4.252/24,10.0.5.0/24,10.0.5.252/24,10.0.6.0/24,10.0.6.252/24,10.0.7.0/24,10.0.7.252/24,10.0.8.0/24,10.0.8.252/24,10.0.9.0/24,10.0.9.252/24,127.0.0.1,172.16.0.0/16,172.16.1.252/16,192.168.1.0/24,192.168.77.0/24,194.246.118.118,212.25.27.51,212.25.28.55,212.25.29.73,212.25.29.74/32,2001:XXX:40:304::dead:beef,2001:XXX:80::dead:beef,2001:XXX:XXX::1fe/120,2001:XXX:XXX::2fc/120,2001:XXX:XXX::3fc/120,2001:XXX:XXX::4fc/120,2001:XXX:XXX::5fc/120,2001:XXX:XXX::6fc/120,2001:XXX:XXX::7fc/120,2001:XXX:XXX::8fc/120,2001:XXX:XXX::9fc/120,2001:XXX:XXX::100/120,2001:XXX:XXX::200/120,2001:XXX:XXX::300/120,2001:XXX:XXX::400/120,2001:XXX:XXX::500/120,2001:XXX:XXX::600/120,2001:XXX:XXX::700/120,2001:XXX:XXX::800/120,2001:XXX:XXX::900/120,2001:4860:4860::8888,fd34:fe56:7891:2f3a::/64,fe80::250:56ff:fe9e:43df%em0]". Please check it's syntax
    7/8/2014 – 16:22:27 - <error>-- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /usr/pbi/suricata-amd64/etc/suricata/suricata_29766_em1/suricata.yaml for errors

    On snort I doesn't get any messages but I saw the same error (failed to parse address) in previous versions of snort. In the System Logs I'm not able to see any errors from snort or suricata.

    Hopefully somebody can help me out.

    regards

    supermega</error></error></error></info></info></info></info></info></info></info>



  • @supermega:

    Hi guys

    I'm trying to implement an IDS/IPS system on my pfsense box. For me  it's doesn't matter if I use Snort or Suricata in the future.
    I started first with snort and because snort wasn't working I tried suricata. I have seen that both packages gave me back the same error.

    If I start snort or suricata (interface only or trough status –> service) the services doesn't start. (nothing happen, red cross stays there)

    Following error if I try to start Suricata via shell:

    [2.1.4-RELEASE][root@XXX-pfs-1.XXX.local]/root(13): /bin/sh /usr/local/etc/rc.d/suricata.sh start
    7/8/2014 – 16:22:27 - <info>- This is Suricata version 1.4.6 RELEASE
    7/8/2014 -- 16:22:27 - <info>- CPUs/cores online: 2
    7/8/2014 -- 16:22:27 - <info>- Live rule reloads enabled
    7/8/2014 -- 16:22:27 - <info>-- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    7/8/2014 -- 16:22:27 - <info>-- preallocated 65535 defrag trackers of size 120
    7/8/2014 -- 16:22:27 - <info>-- defrag memory usage: 9437064 bytes, maximum: 33554432
    7/8/2014 -- 16:22:27 - <info>-- AutoFP mode using "Active Packets" flow load balancer
    7/8/2014 -- 16:22:27 - <error>-- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "fe80::250:56ff:fe9e:43df%em0"
    7/8/2014 – 16:22:27 - <error>-- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[8.8.8.8,10.0.0.0/24,10.0.0.252/24,10.0.2.0/24,10.0.2.252/24,10.0.3.0/24,10.0.3.252/24,10.0.4.0/24,10.0.4.252/24,10.0.5.0/24,10.0.5.252/24,10.0.6.0/24,10.0.6.252/24,10.0.7.0/24,10.0.7.252/24,10.0.8.0/24,10.0.8.252/24,10.0.9.0/24,10.0.9.252/24,127.0.0.1,172.16.0.0/16,172.16.1.252/16,192.168.1.0/24,192.168.77.0/24,194.246.118.118,212.25.27.51,212.25.28.55,212.25.29.73,212.25.29.74/32,2001:XXX:40:304::dead:beef,2001:XXX:80::dead:beef,2001:XXX:XXX::1fe/120,2001:XXX:XXX::2fc/120,2001:XXX:XXX::3fc/120,2001:XXX:XXX::4fc/120,2001:XXX:XXX::5fc/120,2001:XXX:XXX::6fc/120,2001:XXX:XXX::7fc/120,2001:XXX:XXX::8fc/120,2001:XXX:XXX::9fc/120,2001:XXX:XXX::100/120,2001:XXX:XXX::200/120,2001:XXX:XXX::300/120,2001:XXX:XXX::400/120,2001:XXX:XXX::500/120,2001:XXX:XXX::600/120,2001:XXX:XXX::700/120,2001:XXX:XXX::800/120,2001:XXX:XXX::900/120,2001:4860:4860::8888,fd34:fe56:7891:2f3a::/64,fe80::250:56ff:fe9e:43df%em0]". Please check it's syntax
    7/8/2014 – 16:22:27 - <error>-- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /usr/pbi/suricata-amd64/etc/suricata/suricata_29766_em1/suricata.yaml for errors

    On snort I doesn't get any messages but I saw the same error (failed to parse address) in previous versions of snort. In the System Logs I'm not able to see any errors from snort or suricata.

    Hopefully somebody can help me out.

    regards

    supermega</error></error></error></info></info></info></info></info></info></info>

    There is currently an issue with IPv6 Link Local addresses in both packages.  I have a fix for Snort posted that is awaiting review and approval by the pfSense Developer Team.  Hopefully they can get it approved and posted in a few days.

    I also have a fix for Suricata in the works that will come out with the next update.

    If you know how to transfer files over to your firewall via scp (secure copy), then PM me and I can send you the Snort fix and you can help me test it.

    Bill


Log in to reply