Suricata keeps getting disabled



  • I'm having to manually start Suricata after a few hours or so because it keeps getting disabled.

    
    Last 50 system log entries
    Aug 30 12:17:23 	suricata: 30/8/2014 -- 12:17:23 - <info>-- using magic-file /usr/share/misc/magic
    Aug 30 12:17:23 	suricata: 30/8/2014 -- 12:17:23 - <info>-- Delayed detect disabled
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419
    Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419
    Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
    Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
    Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul
    Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul
    Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules
    Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules
    Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <info>-- 2 rule files processed. 15527 rules successfully loaded, 3 rules failed
    Aug 30 12:18:41 	suricata: 30/8/2014 -- 12:18:41 - <info>-- 15541 signatures processed. 23 are IP-only rules, 5193 are inspecting packet payload, 12337 inspect application layer, 77 are decoder event only
    Aug 30 12:18:41 	suricata: 30/8/2014 -- 12:18:41 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    Aug 30 12:18:42 	suricata: 30/8/2014 -- 12:18:42 - <info>-- building signature grouping structure, stage 2: building source address list... complete
    Aug 30 12:18:48 	suricata: 30/8/2014 -- 12:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
    Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Threshold config parsed: 0 rule(s) found
    Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Core dump size is unlimited.
    Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output device (regular) initialized: block.log
    Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/passlist parsed: 7 IP addresses loaded.
    Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=off
    Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- fast output device (regular) initialized: alerts.log
    Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- http-log output device (regular) initialized: http.log
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Syslog output initialized
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Using 1 live device(s).
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using interface nfe0
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Found an MTU of 1500 for 'nfe0'
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Set snaplen to 1500 for 'nfe0'
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using magic-file /usr/share/misc/magic
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- returning 0x80d7ffe98
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- RunModeIdsPcapAutoFp initialised
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "max-sessions": 262144
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "prealloc-sessions": 32768
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "memcap": 33554432
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "midstream" session pickups: disabled
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "async-oneside": disabled
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "checksum-validation": disabled
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream."inline": disabled
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "memcap": 67108864
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "depth": 0
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560
    Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
    Aug 30 12:18:57 	suricata[47918]: 30/8/2014 -- 12:18:57 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></error></error></error></error></error></error></error></error></error></error></error></error></info></info> 
    

    EDIT: Here is the part of the log where Suricata throws the error:

    
    Aug 30 11:28:03 	suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly
    Aug 30 11:28:03 	suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></error> 
    


  • My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file.  The SID is listed in the error message of each one.  The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.

    An update to the 2.0.3 binary is currently under review by the pfSense team.  I posted it earlier this week.

    Bill



  • @bmeeks:

    My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file.  The SID is listed in the error message of each one.  The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.

    An update to the 2.0.3 binary is currently under review by the pfSense team.  I posted it earlier this week.

    Bill

    Thanks Bill, i will do that now.



  • It's happening to me to so I am leaving it disabled until the update comes out. I check daily for a package update.