Suricata Starts then STOP - Crash



  • I have just install Suricata and configured it as i had Snort.

    The issue that i am facing now is that it starts and then stops right away.

    Interface says "ENABLED" but the service is showing as "stopped".

    Has one any idea as to what is causing this?

    I was looking forward to giving it a try but what a "bum start". Pun intended. :-/



  • You didn't give us too much to analyze, so do this to see if more data can be gathered –

    1.  Post any relevant messages from the firewall system log.

    2.  Go to the LOGS VIEW tab of Suricata and select the interface where Suricata is installed.  Next, select the suricata.log file in the log selector drop-down.  Post anything showing in that log.

    Bill



  • @bmeeks:

    You didn't give us too much to analyze, so do this to see if more data can be gathered –

    1.  Post any relevant messages from the firewall system log.

    2.  Go to the LOGS VIEW tab of Suricata and select the interface where Suricata is installed.  Next, select the suricata.log file in the log selector drop-down.  Post anything showing in that log.

    Bill

    Sorry, the below is the error that i am getting. I couldn't paste it all because the system wouldn't allow it.

    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23667; rev:6;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 244
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23664; rev:9;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 247
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_server,established; file_data; content:"RIFX"; depth:4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23658; rev:6;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 250
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23657; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 253
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23656; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 256
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23655; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 259
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23654; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 262
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23653; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 265
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|"; depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23652; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 268
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23651; rev:6;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 271
    24/7/2015 -- 19:00:50 - <info>-- 2 rule files processed. 11248 rules successfully loaded, 854 rules failed
    24/7/2015 -- 19:00:50 - <info>-- 11254 signatures processed. 824 are IP-only rules, 4160 are inspecting packet payload, 7279 inspect application layer, 72 are decoder event only
    24/7/2015 -- 19:00:50 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete
    24/7/2015 -- 19:00:50 - <info>-- building signature grouping structure, stage 2: building source address list... complete
    24/7/2015 -- 19:00:54 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete
    24/7/2015 -- 19:00:55 - <info>-- Threshold config parsed: 0 rule(s) found
    24/7/2015 -- 19:00:55 - <info>-- Core dump size is unlimited.
    24/7/2015 -- 19:00:55 - <info>-- alert-pf output device (regular) initialized: block.log
    24/7/2015 -- 19:00:55 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/passlist parsed: 16 IP addresses loaded.
    24/7/2015 -- 19:00:55 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could not validate pf table: snort2c, module init failed.</error></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error> 
    


  • This is the key error –

    
    24/7/2015 -- 19:00:55 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could not validate pf table: snort2c, module init failed.</error> 
    

    The table is a default pfSense-created table in the firewall.  That fact it is missing means something is badly wrong with the pfSense install.  This table is auto-created by pfSense upon startup (before Suricata ever starts).  When you go to Diagnostics…Tables in the firewall menu, can you see the table listed in the drop-down box?  This table is how Suricata inserts blocks, so with the table missing the blocking module fails to initialize and thus so does Suricata.

    Do you have any other packages installed.  I seem to recall an issue some time back where another package, when installed, could clobber the table in the pf (packet filter).  A quick search here on the forum may uncover the thread.

    EDIT: Did a quick search myself.  It was not a package, it was Limiters in the Traffic Shaper.  Here is a relevant thread from Snort (but it will apply to Suricata as well):  https://forum.pfsense.org/index.php?topic=82268.msg450021#msg450021

    Bill



  • There is no entry.

    Is it because i have the firewall turned off?

    I am using pfsense for caching and web content filtering only via squid3 and squidguard.

    The pfsense box sits behind a junitper firewall so there was no need to have the firewall on on pfsense as well.

    I am already dealing with bottle neck issues in regards to clamav/icap when they are turned on. The are choking and limiting throughput.



  • @bmeeks:

    EDIT: Did a quick search myself.  It was not a package, it was Limiters in the Traffic Shaper.  Here is a relevant thread from Snort (but it will apply to Suricata as well):  https://forum.pfsense.org/index.php?topic=82268.msg450021#msg450021

    Bill

    Thank you! That seems to have done it.



  • Glad to help and happy that fixed it for you.

    Bill



  • I notice that i have to re-run the command every time i reboot pfsense.

    pfctl -t snort2c -T add 1.1.1.1

    Is there a way to make it stick? Maybe a cron job?



  • @gdsnytech:

    I notice that i have to re-run the command every time i reboot pfsense.

    pfctl -t snort2c -T add 1.1.1.1

    Is there a way to make it stick? Maybe a cron job?

    Posted this reply to you in another thread as well.  I think your box may have after effects of a Traffic Shaper bug.  See if the steps in this thread help – https://forum.pfsense.org/index.php?topic=82268.msg450204#msg450204

    Bill



  • Traffic shaper is not enabled.



  • Was it ever in the past perhaps?  There is something in your pfSense configuration that is preventing the boot up code from creating the <snort2c>table automatically like it is supposed to.  That table is created way before any packages are loaded and started.  Look in /tmp for any PHP errors file and see what's in them.

    Bill</snort2c>



  • No traffic shaper was never touched.

    Is there a way to edit this code? If so where is it located? Is it in the config file?

    Below is the only error in the php error log.

    [06-Aug-2015 05:02:26 EST5EDT] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/pkg/patches.inc on line 159



  • @gdsnytech:

    No traffic shaper was never touched.

    Is there a way to edit this code? If so where is it located? Is it in the config file?

    Below is the only error in the php error log.

    [06-Aug-2015 05:02:26 EST5EDT] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/pkg/patches.inc on line 159

    This error has nothing to do with Suricata.  That file is not part Suricata's collection.  Do you have other packages installed that may be trying to include this file?

    Bill



  • Below are the list of the only services that i have installed on pfsense.

    FYI: i have re-installed pfsense 2.2.4 on a new box and used the restore feature to restore my config on it. Suricata is not even starting now even after running the command.

    apinger
    bandwidthd
    c-icap
    clamd
    cron
    dnsmasq
    ntopng
    ntpd
    squid
    squidGuard
    sshd
    suricata
    vhosts-http



  • @gdsnytech:

    Below are the list of the only services that i have installed on pfsense.

    FYI: i have re-installed pfsense 2.2.4 on a new box and used the restore feature to restore my config on it. Suricata is not even starting now even after running the command.

    apinger
    bandwidthd
    c-icap
    clamd
    cron
    dnsmasq
    ntopng
    ntpd
    squid
    squidGuard
    sshd
    suricata
    vhosts-http

    That would indicate one of two things.  First, the configuration itself might be corrupt, so when restored onto a new install it could be killing the new install.  Another possibility is that the new box has different NIC hardware.  That would change the physical interface names Suricata needs in order to function correctly.  For example, if you old box had older Intel NICs using the em0 driver, but now your new box has Realtek NICs using the re0 driver.  The change in physical NIC names will trip up Suricata (and Snort as well).  In that case I would recommend configuring Suricata again from scratch and not importing an old configuration.

    Bill



  • I have since uninstalled it but have not been install it back. The installation never completes. I am able to install it via ssh though but not through the web console.

    Please see the attached. That is where it get stuck.

    Any ideas?