Suricata keeps getting disabled

squatch04

I'm having to manually start Suricata after a few hours or so because it keeps getting disabled.

Last 50 system log entries
Aug 30 12:17:23 	suricata: 30/8/2014 -- 12:17:23 - <info>-- using magic-file /usr/share/misc/magic
Aug 30 12:17:23 	suricata: 30/8/2014 -- 12:17:23 - <info>-- Delayed detect disabled
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419
Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419
Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul
Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul
Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules
Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules
Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <info>-- 2 rule files processed. 15527 rules successfully loaded, 3 rules failed
Aug 30 12:18:41 	suricata: 30/8/2014 -- 12:18:41 - <info>-- 15541 signatures processed. 23 are IP-only rules, 5193 are inspecting packet payload, 12337 inspect application layer, 77 are decoder event only
Aug 30 12:18:41 	suricata: 30/8/2014 -- 12:18:41 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
Aug 30 12:18:42 	suricata: 30/8/2014 -- 12:18:42 - <info>-- building signature grouping structure, stage 2: building source address list... complete
Aug 30 12:18:48 	suricata: 30/8/2014 -- 12:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Threshold config parsed: 0 rule(s) found
Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Core dump size is unlimited.
Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output device (regular) initialized: block.log
Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/passlist parsed: 7 IP addresses loaded.
Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=off
Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- fast output device (regular) initialized: alerts.log
Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- http-log output device (regular) initialized: http.log
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Syslog output initialized
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Using 1 live device(s).
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using interface nfe0
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Found an MTU of 1500 for 'nfe0'
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Set snaplen to 1500 for 'nfe0'
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using magic-file /usr/share/misc/magic
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- returning 0x80d7ffe98
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- RunModeIdsPcapAutoFp initialised
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "max-sessions": 262144
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "prealloc-sessions": 32768
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "memcap": 33554432
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "midstream" session pickups: disabled
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "async-oneside": disabled
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "checksum-validation": disabled
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream."inline": disabled
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "memcap": 67108864
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "depth": 0
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560
Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
Aug 30 12:18:57 	suricata[47918]: 30/8/2014 -- 12:18:57 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></error></error></error></error></error></error></error></error></error></error></error></error></info></info> 

EDIT: Here is the part of the log where Suricata throws the error:

Aug 30 11:28:03 	suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly
Aug 30 11:28:03 	suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></error> 

bmeeks

My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file.  The SID is listed in the error message of each one.  The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.

An update to the 2.0.3 binary is currently under review by the pfSense team.  I posted it earlier this week.

Bill

squatch04

@bmeeks:

My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file.  The SID is listed in the error message of each one.  The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.

An update to the 2.0.3 binary is currently under review by the pfSense team.  I posted it earlier this week.

Bill

Thanks Bill, i will do that now.

zerodamage

It's happening to me to so I am leaving it disabled until the update comes out. I check daily for a package update.