Suricata 2.1.5 Update – Release Notes
-
These are the errors from the WAN suricata.log
6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CIS file magic detected"; flow:to_server,established; file_data; content:"|43 49 53 00 00 00 00 00|"; fast_pattern:only; flowbits:set,file.cis; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:28367; rev:1;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_54713_em0/rules/flowbit-required.rules at line 19
6/6/2015 – 02:28:04 - <info>-- 2 rule files processed. 223 rules successfully loaded, 1 rules failed
6/6/2015 -- 02:28:04 - <info>-- 223 signatures processed. 34 are IP-only rules, 4 are inspecting packet payload, 63 inspect application layer, 72 are decoder event only
6/6/2015 -- 02:28:04 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
6/6/2015 -- 02:28:04 - <info>-- building signature grouping structure, stage 2: building source address list... complete
6/6/2015 -- 02:28:04 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
6/6/2015 -- 02:28:04 - <info>-- Threshold config parsed: 0 rule(s) found
6/6/2015 -- 02:28:04 - <info>-- Core dump size is unlimited.
6/6/2015 -- 02:28:04 - <info>-- fast output device (regular) initialized: alerts.log
6/6/2015 -- 02:28:04 - <info>-- http-log output device (regular) initialized: http.log
6/6/2015 -- 02:28:04 - <info>-- Using 1 live device(s).
6/6/2015 -- 02:28:04 - <info>-- using interface em0
6/6/2015 -- 02:28:04 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
6/6/2015 -- 02:28:04 - <info>-- Found an MTU of 1500 for 'em0'
6/6/2015 -- 02:28:04 - <info>-- Set snaplen to 1516 for 'em0'
6/6/2015 -- 02:28:04 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
6/6/2015 – 02:28:04 - <info>-- RunModeIdsPcapAutoFp initialised
6/6/2015 -- 02:28:04 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect6" closed on initialization.
6/6/2015 – 02:28:04 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting…</error></error></info></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></error></error> -
increasing the stream memory cap from 32MB to 64MB fixed the issue.
-
increasing the stream memory cap from 32MB to 64MB fixed the issue.
Yes, the old default stream memory setting is too small as of the 2.0.7 release of Suricata. I will update the default size and make it some larger in the next package update.
Bill
-
A atafm2 referenced this topic on
-
A atafm2 referenced this topic on
-
A atafm2 referenced this topic on
