Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata keeps getting disabled

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      squatch04
      last edited by

      I'm having to manually start Suricata after a few hours or so because it keeps getting disabled.

      
      Last 50 system log entries
      Aug 30 12:17:23 	suricata: 30/8/2014 -- 12:17:23 - <info>-- using magic-file /usr/share/misc/magic
      Aug 30 12:17:23 	suricata: 30/8/2014 -- 12:17:23 - <info>-- Delayed detect disabled
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".pif"; within:-4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:11;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5418
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-4" is less than the content length "4" which is invalid, since this will never match. Invalidating signature
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419
      Aug 30 12:17:28 	suricata: 30/8/2014 -- 12:17:28 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset +2; content:".scr"; within:-4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:12;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rules at line 5419
      Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
      Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of ""/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"" failed at offset 11: missing opening brace after \o
      Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul
      Aug 30 12:17:32 	suricata: 30/8/2014 -- 12:17:32 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:4;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/suricata.rul
      Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules
      Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <warning>-- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/rules/flowbit-required.rules
      Aug 30 12:17:39 	suricata: 30/8/2014 -- 12:17:39 - <info>-- 2 rule files processed. 15527 rules successfully loaded, 3 rules failed
      Aug 30 12:18:41 	suricata: 30/8/2014 -- 12:18:41 - <info>-- 15541 signatures processed. 23 are IP-only rules, 5193 are inspecting packet payload, 12337 inspect application layer, 77 are decoder event only
      Aug 30 12:18:41 	suricata: 30/8/2014 -- 12:18:41 - <info>-- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
      Aug 30 12:18:42 	suricata: 30/8/2014 -- 12:18:42 - <info>-- building signature grouping structure, stage 2: building source address list... complete
      Aug 30 12:18:48 	suricata: 30/8/2014 -- 12:18:48 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
      Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Threshold config parsed: 0 rule(s) found
      Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Core dump size is unlimited.
      Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output device (regular) initialized: block.log
      Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_2100_nfe0/passlist parsed: 7 IP addresses loaded.
      Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=off
      Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- fast output device (regular) initialized: alerts.log
      Aug 30 12:18:55 	suricata: 30/8/2014 -- 12:18:55 - <info>-- http-log output device (regular) initialized: http.log
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Syslog output initialized
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Using 1 live device(s).
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using interface nfe0
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Found an MTU of 1500 for 'nfe0'
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- Set snaplen to 1500 for 'nfe0'
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- using magic-file /usr/share/misc/magic
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- returning 0x80d7ffe98
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- RunModeIdsPcapAutoFp initialised
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "max-sessions": 262144
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "prealloc-sessions": 32768
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "memcap": 33554432
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "midstream" session pickups: disabled
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "async-oneside": disabled
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream "checksum-validation": disabled
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream."inline": disabled
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "memcap": 67108864
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "depth": 0
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toserver-chunk-size": 2560
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- stream.reassembly "toclient-chunk-size": 2560
      Aug 30 12:18:55 	suricata[47918]: 30/8/2014 -- 12:18:55 - <info>-- all 2 packet processing threads, 1 management threads initialized, engine started.
      Aug 30 12:18:57 	suricata[47918]: 30/8/2014 -- 12:18:57 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></error></error></error></error></error></error></error></error></error></error></error></error></info></info> 
      

      EDIT: Here is the part of the log where Suricata throws the error:

      
      Aug 30 11:28:03 	suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly
      Aug 30 11:28:03 	suricata: 30/8/2014 -- 11:28:03 - <error>-- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></error> 
      
      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file.  The SID is listed in the error message of each one.  The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.

        An update to the 2.0.3 binary is currently under review by the pfSense team.  I posted it earlier this week.

        Bill

        1 Reply Last reply Reply Quote 0
        • S
          squatch04
          last edited by

          @bmeeks:

          My suggestion is to manually disable the specific SIDs throwing the signature parsing errors in the log file.  The SID is listed in the error message of each one.  The current Suricata binary is a bit dated (it's 1.4.6 while the latest is 2.0.3), and it could be severely choking on some rules written with the newer options or keywords the latest Suricata version supports.

          An update to the 2.0.3 binary is currently under review by the pfSense team.  I posted it earlier this week.

          Bill

          Thanks Bill, i will do that now.

          1 Reply Last reply Reply Quote 0
          • Z
            zerodamage
            last edited by

            It's happening to me to so I am leaving it disabled until the update comes out. I check daily for a package update.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.