Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 2.1.5 Update – Release Notes

    IDS/IPS
    10
    23
    6.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SixXxShooTeR
      last edited by

      These are the errors from the WAN suricata.log

      6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
      6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CIS file magic detected"; flow:to_server,established; file_data; content:"|43 49 53 00 00 00 00 00|"; fast_pattern:only; flowbits:set,file.cis; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:28367; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_54713_em0/rules/flowbit-required.rules at line 19
      6/6/2015 – 02:28:04 - <info>-- 2 rule files processed. 223 rules successfully loaded, 1 rules failed
      6/6/2015 -- 02:28:04 - <info>-- 223 signatures processed. 34 are IP-only rules, 4 are inspecting packet payload, 63 inspect application layer, 72 are decoder event only
      6/6/2015 -- 02:28:04 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
      6/6/2015 -- 02:28:04 - <info>-- building signature grouping structure, stage 2: building source address list... complete
      6/6/2015 -- 02:28:04 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
      6/6/2015 -- 02:28:04 - <info>-- Threshold config parsed: 0 rule(s) found
      6/6/2015 -- 02:28:04 - <info>-- Core dump size is unlimited.
      6/6/2015 -- 02:28:04 - <info>-- fast output device (regular) initialized: alerts.log
      6/6/2015 -- 02:28:04 - <info>-- http-log output device (regular) initialized: http.log
      6/6/2015 -- 02:28:04 - <info>-- Using 1 live device(s).
      6/6/2015 -- 02:28:04 - <info>-- using interface em0
      6/6/2015 -- 02:28:04 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
      6/6/2015 -- 02:28:04 - <info>-- Found an MTU of 1500 for 'em0'
      6/6/2015 -- 02:28:04 - <info>-- Set snaplen to 1516 for 'em0'
      6/6/2015 -- 02:28:04 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
      6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
      6/6/2015 – 02:28:04 - <info>-- RunModeIdsPcapAutoFp initialised
      6/6/2015 -- 02:28:04 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect6" closed on initialization.
      6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting…</error></error></info></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error>

      1 Reply Last reply Reply Quote 0
      • S
        SixXxShooTeR
        last edited by

        increasing the stream memory cap from 32MB to 64MB fixed the issue.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @SixXxShooTeR:

          increasing the stream memory cap from 32MB to 64MB fixed the issue.

          Yes, the old default stream memory setting is too small as of the 2.0.7 release of Suricata.  I will update the default size and make it some larger in the next package update.

          Bill

          1 Reply Last reply Reply Quote 0
          • A atafm2 referenced this topic on
          • A atafm2 referenced this topic on
          • A atafm2 referenced this topic on
          • First post
            Last post