Suricata Starts then STOP - Crash
-
I have just install Suricata and configured it as i had Snort.
The issue that i am facing now is that it starts and then stops right away.
Interface says "ENABLED" but the service is showing as "stopped".
Has one any idea as to what is causing this?
I was looking forward to giving it a try but what a "bum start". Pun intended. :-/
-
You didn't give us too much to analyze, so do this to see if more data can be gathered –
1. Post any relevant messages from the firewall system log.
2. Go to the LOGS VIEW tab of Suricata and select the interface where Suricata is installed. Next, select the suricata.log file in the log selector drop-down. Post anything showing in that log.
Bill
-
You didn't give us too much to analyze, so do this to see if more data can be gathered –
1. Post any relevant messages from the firewall system log.
2. Go to the LOGS VIEW tab of Suricata and select the interface where Suricata is installed. Next, select the suricata.log file in the log selector drop-down. Post anything showing in that log.
Bill
Sorry, the below is the error that i am getting. I couldn't paste it all because the system wouldn't allow it.
24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23667; rev:6;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 244 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23664; rev:9;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 247 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_server,established; file_data; content:"RIFX"; depth:4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23658; rev:6;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 250 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23657; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 253 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23656; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 256 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23655; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 259 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23654; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 262 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23653; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 265 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|"; depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23652; rev:7;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 268 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http. 24/7/2015 -- 19:00:50 - <error>-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23651; rev:6;)" from file /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/rules/flowbit-required.rules at line 271 24/7/2015 -- 19:00:50 - <info>-- 2 rule files processed. 11248 rules successfully loaded, 854 rules failed 24/7/2015 -- 19:00:50 - <info>-- 11254 signatures processed. 824 are IP-only rules, 4160 are inspecting packet payload, 7279 inspect application layer, 72 are decoder event only 24/7/2015 -- 19:00:50 - <info>-- building signature grouping structure, stage 1: preprocessing rules... complete 24/7/2015 -- 19:00:50 - <info>-- building signature grouping structure, stage 2: building source address list... complete 24/7/2015 -- 19:00:54 - <info>-- building signature grouping structure, stage 3: building destination address lists... complete 24/7/2015 -- 19:00:55 - <info>-- Threshold config parsed: 0 rule(s) found 24/7/2015 -- 19:00:55 - <info>-- Core dump size is unlimited. 24/7/2015 -- 19:00:55 - <info>-- alert-pf output device (regular) initialized: block.log 24/7/2015 -- 19:00:55 - <info>-- Pass List /usr/pbi/suricata-amd64/etc/suricata/suricata_38707_bce2/passlist parsed: 16 IP addresses loaded. 24/7/2015 -- 19:00:55 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could not validate pf table: snort2c, module init failed.</error></info></info></info></info></info></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error>
-
This is the key error –
24/7/2015 -- 19:00:55 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could not validate pf table: snort2c, module init failed.</error>
The table is a default pfSense-created table in the firewall. That fact it is missing means something is badly wrong with the pfSense install. This table is auto-created by pfSense upon startup (before Suricata ever starts). When you go to Diagnostics…Tables in the firewall menu, can you see the table listed in the drop-down box? This table is how Suricata inserts blocks, so with the table missing the blocking module fails to initialize and thus so does Suricata.
Do you have any other packages installed. I seem to recall an issue some time back where another package, when installed, could clobber the table in the pf (packet filter). A quick search here on the forum may uncover the thread.
EDIT: Did a quick search myself. It was not a package, it was Limiters in the Traffic Shaper. Here is a relevant thread from Snort (but it will apply to Suricata as well): https://forum.pfsense.org/index.php?topic=82268.msg450021#msg450021
Bill
-
There is no entry.
Is it because i have the firewall turned off?
I am using pfsense for caching and web content filtering only via squid3 and squidguard.
The pfsense box sits behind a junitper firewall so there was no need to have the firewall on on pfsense as well.
I am already dealing with bottle neck issues in regards to clamav/icap when they are turned on. The are choking and limiting throughput.
-
EDIT: Did a quick search myself. It was not a package, it was Limiters in the Traffic Shaper. Here is a relevant thread from Snort (but it will apply to Suricata as well): https://forum.pfsense.org/index.php?topic=82268.msg450021#msg450021
Bill
Thank you! That seems to have done it.
-
Glad to help and happy that fixed it for you.
Bill
-
I notice that i have to re-run the command every time i reboot pfsense.
pfctl -t snort2c -T add 1.1.1.1
Is there a way to make it stick? Maybe a cron job?
-
I notice that i have to re-run the command every time i reboot pfsense.
pfctl -t snort2c -T add 1.1.1.1
Is there a way to make it stick? Maybe a cron job?
Posted this reply to you in another thread as well. I think your box may have after effects of a Traffic Shaper bug. See if the steps in this thread help – https://forum.pfsense.org/index.php?topic=82268.msg450204#msg450204
Bill
-
Traffic shaper is not enabled.
-
Was it ever in the past perhaps? There is something in your pfSense configuration that is preventing the boot up code from creating the <snort2c>table automatically like it is supposed to. That table is created way before any packages are loaded and started. Look in /tmp for any PHP errors file and see what's in them.
Bill</snort2c>
-
No traffic shaper was never touched.
Is there a way to edit this code? If so where is it located? Is it in the config file?
Below is the only error in the php error log.
[06-Aug-2015 05:02:26 EST5EDT] PHP Warning: Invalid argument supplied for foreach() in /usr/local/pkg/patches.inc on line 159
-
No traffic shaper was never touched.
Is there a way to edit this code? If so where is it located? Is it in the config file?
Below is the only error in the php error log.
[06-Aug-2015 05:02:26 EST5EDT] PHP Warning: Invalid argument supplied for foreach() in /usr/local/pkg/patches.inc on line 159
This error has nothing to do with Suricata. That file is not part Suricata's collection. Do you have other packages installed that may be trying to include this file?
Bill
-
Below are the list of the only services that i have installed on pfsense.
FYI: i have re-installed pfsense 2.2.4 on a new box and used the restore feature to restore my config on it. Suricata is not even starting now even after running the command.
apinger
bandwidthd
c-icap
clamd
cron
dnsmasq
ntopng
ntpd
squid
squidGuard
sshd
suricata
vhosts-http -
Below are the list of the only services that i have installed on pfsense.
FYI: i have re-installed pfsense 2.2.4 on a new box and used the restore feature to restore my config on it. Suricata is not even starting now even after running the command.
apinger
bandwidthd
c-icap
clamd
cron
dnsmasq
ntopng
ntpd
squid
squidGuard
sshd
suricata
vhosts-httpThat would indicate one of two things. First, the configuration itself might be corrupt, so when restored onto a new install it could be killing the new install. Another possibility is that the new box has different NIC hardware. That would change the physical interface names Suricata needs in order to function correctly. For example, if you old box had older Intel NICs using the em0 driver, but now your new box has Realtek NICs using the re0 driver. The change in physical NIC names will trip up Suricata (and Snort as well). In that case I would recommend configuring Suricata again from scratch and not importing an old configuration.
Bill
-
I have since uninstalled it but have not been install it back. The installation never completes. I am able to install it via ssh though but not through the web console.
Please see the attached. That is where it get stuck.
Any ideas?