Suricata not working!



  • I did the update today. Wish i didn't. :(  Snort doesn't work anymore ( i can't even download the rules) and i have all my network exposed to external attacks. Can't go back to the old working version.

    Also, the new interface is…  geez, crap. The ergonomy is a lot minimized. Anyone can help me go back to the old version? Before doing the update i made a full back-up from the update interface, but now i can't find any back-up. :((  I have a lot of critical servers, includind VoIP and GPS servers behind the firewall and i'm totally exposed now.

    Bellow is some errors from suricata logs.

    P.S. Yeah, i know i should't have done this update without a strong back-up in production enviroment, but i've trusted to much the pfSense development team. :(  Learnt my lesson.

    13/4/2016 -- 16:09:30 - <notice> -- This is Suricata version 3.0 RELEASE
    13/4/2016 -- 16:09:30 - <info> -- CPUs/cores online: 4
    13/4/2016 -- 16:09:30 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
    13/4/2016 -- 16:09:30 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
    13/4/2016 -- 16:09:30 - <info> -- HTTP memcap: 67108864
    13/4/2016 -- 16:09:30 - <info> -- DNS request flood protection level: 500
    13/4/2016 -- 16:09:30 - <info> -- DNS per flow memcap (state-memcap): 524288
    13/4/2016 -- 16:09:30 - <info> -- DNS global memcap: 16777216
    13/4/2016 -- 16:09:30 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    13/4/2016 -- 16:09:30 - <info> -- preallocated 65535 defrag trackers of size 136
    13/4/2016 -- 16:09:30 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
    13/4/2016 -- 16:09:30 - <info> -- AutoFP mode using "Active Packets" flow load balancer
    13/4/2016 -- 16:09:30 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
    13/4/2016 -- 16:09:30 - <info> -- preallocated 1000 hosts of size 104
    13/4/2016 -- 16:09:30 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
    13/4/2016 -- 16:09:30 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
    13/4/2016 -- 16:09:30 - <info> -- preallocated 10000 flows of size 256
    13/4/2016 -- 16:09:30 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
    13/4/2016 -- 16:09:30 - <info> -- stream "prealloc-sessions": 32768 (per thread)
    13/4/2016 -- 16:09:30 - <info> -- stream "memcap": 67108864
    13/4/2016 -- 16:09:30 - <info> -- stream "midstream" session pickups: disabled
    13/4/2016 -- 16:09:30 - <info> -- stream "async-oneside": disabled
    13/4/2016 -- 16:09:30 - <info> -- stream "checksum-validation": disabled
    13/4/2016 -- 16:09:30 - <info> -- stream."inline": disabled
    13/4/2016 -- 16:09:30 - <info> -- stream "max-synack-queued": 5
    13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "memcap": 67108864
    13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "depth": 0
    13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "toserver-chunk-size": 2582
    13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "toclient-chunk-size": 2672
    13/4/2016 -- 16:09:30 - <info> -- stream.reassembly.raw: enabled
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 4, prealloc 256
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 16, prealloc 512
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 112, prealloc 512
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 248, prealloc 512
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 512, prealloc 512
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 768, prealloc 1024
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 1448, prealloc 1024
    13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 65535, prealloc 128
    13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "chunk-prealloc": 250
    13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "zero-copy-size": 128
    13/4/2016 -- 16:09:30 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
    13/4/2016 -- 16:09:30 - <info> -- preallocated 1000 ippairs of size 104
    13/4/2016 -- 16:09:30 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
    13/4/2016 -- 16:09:30 - <info> -- using magic-file /usr/share/misc/magic
    13/4/2016 -- 16:09:30 - <info> -- Delayed detect disabled
    13/4/2016 -- 16:09:30 - <info> -- IP reputation disabled
    13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/etc/suricata/suricata_60609_em2/classification.config": No such file or directory
    13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file
    13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/etc/suricata/suricata_60609_em2/reference.config": No such file or directory
    13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file
    13/4/2016 -- 16:09:30 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_60609_em2/rules/
    13/4/2016 -- 16:09:30 - <warning> -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/local/etc/suricata/suricata_60609_em2/rules/
    13/4/2016 -- 16:09:30 - <warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
    13/4/2016 -- 16:09:30 - <info> -- 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
    13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 1: preprocessing rules... complete
    13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 2: building source address list... complete
    13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
    13/4/2016 -- 16:09:30 - <info> -- Threshold config parsed: 0 rule(s) found
    13/4/2016 -- 16:09:30 - <info> -- Core dump size is unlimited.
    13/4/2016 -- 16:09:30 - <info> -- fast output device (regular) initialized: alerts.log
    13/4/2016 -- 16:09:30 - <info> -- http-log output device (regular) initialized: http.log
    13/4/2016 -- 16:09:30 - <info> -- Syslog output initialized
    13/4/2016 -- 16:09:30 - <info> -- Using 1 live device(s).
    13/4/2016 -- 16:09:30 - <info> -- preallocated 8192 packets. Total memory 28459008
    13/4/2016 -- 16:09:30 - <info> -- using interface em2
    13/4/2016 -- 16:09:30 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    13/4/2016 -- 16:09:30 - <info> -- Found an MTU of 1500 for 'em2'
    13/4/2016 -- 16:09:30 - <info> -- Set snaplen to 1516 for 'em2'
    13/4/2016 -- 16:09:30 - <info> -- RunModeIdsPcapAutoFp initialised
    13/4/2016 -- 16:09:30 - <info> -- using 1 flow manager threads
    13/4/2016 -- 16:09:30 - <info> -- preallocated 8192 packets. Total memory 28459008
    13/4/2016 -- 16:09:30 - <info> -- using 1 flow recycler threads
    13/4/2016 -- 16:09:30 - <notice> -- all 7 packet processing threads, 2 management threads initialized, engine started.
    13/4/2016 -- 16:09:30 - <info> -- No packets with invalid checksum, assuming checksum offloading is NOT used
    13/4/2016 -- 16:17:46 - <notice> -- Signal Received.  Stopping engine.
    13/4/2016 -- 16:17:46 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
    13/4/2016 -- 16:17:46 - <info> -- preallocated 8192 packets. Total memory 28459008
    13/4/2016 -- 16:17:46 - <info> -- time elapsed 496.091s
    13/4/2016 -- 16:17:46 - <info> -- 3776 flows processed
    13/4/2016 -- 16:17:46 - <info> -- (RxPcapem21) Packets 5304731, bytes 4863890373
    13/4/2016 -- 16:17:46 - <info> -- (RxPcapem21) Pcap Total:5305854 Recv:5305854 Drop:0 (0.0%).
    13/4/2016 -- 16:17:46 - <info> -- AutoFP - Total flow handler queues - 6
    13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 0  - pkts: 4148832      flows: 2839        
    13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 1  - pkts: 1145824      flows: 864         
    13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 2  - pkts: 7843         flows: 73          
    13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 3  - pkts: 745          flows: 0           
    13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 4  - pkts: 745          flows: 0           
    13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 5  - pkts: 745          flows: 0           
    13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 4119509 TCP packets
    13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
    13/4/2016 -- 16:17:46 - <info> -- (Detect1) Alerts 0
    13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 136 requests
    13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 1144455 TCP packets
    13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
    13/4/2016 -- 16:17:46 - <info> -- (Detect2) Alerts 0
    13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 446 requests
    13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 7061 TCP packets
    13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
    13/4/2016 -- 16:17:46 - <info> -- (Detect3) Alerts 0
    13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 5 requests
    13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
    13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
    13/4/2016 -- 16:17:46 - <info> -- (Detect4) Alerts 0
    13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
    13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
    13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
    13/4/2016 -- 16:17:46 - <info> -- (Detect5) Alerts 0
    13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
    13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
    13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
    13/4/2016 -- 16:17:46 - <info> -- (Detect6) Alerts 0
    13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
    13/4/2016 -- 16:17:46 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
    13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 4 had a peak use of 467 segments, more than the prealloc setting of 256
    13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 112 had a peak use of 1661 segments, more than the prealloc setting of 512
    13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 65535 had a peak use of 254 segments, more than the prealloc setting of 128
    13/4/2016 -- 16:17:46 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
    13/4/2016 -- 16:17:46 - <info> -- cleaning up signature grouping structure... complete
    13/4/2016 -- 16:17:46 - <notice> -- Stats for 'em2':  pkts: 5304731, drop: 0 (0.00%), invalid chksum: 0</notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
    


  • I don't know if this still works in 2.3, but I have found that reinstalling packages from the console often fixes them.
    https://forum.pfsense.org/index.php?topic=92577.msg513026#msg513026

    I had to use the same technique today with snort after reinstalling 2.2.6 and restoring my backup.



  • I have already tried that. I can download the rules now, but the snort still doesn't work. Because i'm in a f*****g production enviroment i must find another solution quicik. Most probably i will go back to the old version of pfsense,



  • @waves:

    I have already tried that. I can download the rules now, but the snort still doesn't work. Because i'm in a f*****g production enviroment i must find another solution quicik. Most probably i will go back to the old version of pfsense,

    Your post says "Snort not working" yet you posted logs of Suricata starting up.  Which are you actually trying to utilize?

    Try going to the UPDATES tab and clicking FORCE to force an update.  Let it sit there for several minutes!  Do not navigate away from the page (not even after the little modal dialog disappears).  Just let it sit there for maybe 3 or 4 minutes.  Then click the button to view the log file.  Post any errors you see there back here.  I'm betting that if you let it sit long enough on the UPDATES tab, you will get the rules.

    Bill



  • The rules are downloading at a point as i said, but the suricata doesn't work. No detection, no blocking, no alerts.  Deleted the package, reinstallled, without success. Unfortunately, as i did mention above i'm in a production enviroment. I wish i had time to investigate this issue, but i'm working hard to go back on 2.2.6 and restore a full back-up. I'm feeling (and i am) like a complete idiot for deploying this new version of pfsense in a productions enviroment without waiting a couple of months.

    As for the logs, that's all what i had in suricata.log after the update.

    Bellow is a more recent suricata.log Anyway, most of the errors doesn't relate with the malfunction of the Suricata.

    13/4/2016 -- 23:25:15 - <notice> -- This is Suricata version 3.0 RELEASE
    13/4/2016 -- 23:25:15 - <info> -- CPUs/cores online: 4
    13/4/2016 -- 23:25:15 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
    13/4/2016 -- 23:25:15 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
    13/4/2016 -- 23:25:15 - <info> -- HTTP memcap: 67108864
    13/4/2016 -- 23:25:15 - <info> -- DNS request flood protection level: 500
    13/4/2016 -- 23:25:15 - <info> -- DNS per flow memcap (state-memcap): 524288
    13/4/2016 -- 23:25:15 - <info> -- DNS global memcap: 16777216
    13/4/2016 -- 23:25:15 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    13/4/2016 -- 23:25:15 - <info> -- preallocated 65535 defrag trackers of size 136
    13/4/2016 -- 23:25:15 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
    13/4/2016 -- 23:25:15 - <info> -- AutoFP mode using "Active Packets" flow load balancer
    13/4/2016 -- 23:25:15 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
    13/4/2016 -- 23:25:15 - <info> -- preallocated 1000 hosts of size 104
    13/4/2016 -- 23:25:15 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
    13/4/2016 -- 23:25:15 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
    13/4/2016 -- 23:25:15 - <info> -- preallocated 10000 flows of size 256
    13/4/2016 -- 23:25:15 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
    13/4/2016 -- 23:25:15 - <info> -- stream "prealloc-sessions": 32768 (per thread)
    13/4/2016 -- 23:25:15 - <info> -- stream "memcap": 67108864
    13/4/2016 -- 23:25:15 - <info> -- stream "midstream" session pickups: disabled
    13/4/2016 -- 23:25:15 - <info> -- stream "async-oneside": disabled
    13/4/2016 -- 23:25:15 - <info> -- stream "checksum-validation": disabled
    13/4/2016 -- 23:25:15 - <info> -- stream."inline": disabled
    13/4/2016 -- 23:25:15 - <info> -- stream "max-synack-queued": 5
    13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "memcap": 67108864
    13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "depth": 0
    13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "toserver-chunk-size": 2669
    13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "toclient-chunk-size": 2638
    13/4/2016 -- 23:25:15 - <info> -- stream.reassembly.raw: enabled
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 4, prealloc 256
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 16, prealloc 512
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 112, prealloc 512
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 248, prealloc 512
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 512, prealloc 512
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 768, prealloc 1024
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 1448, prealloc 1024
    13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 65535, prealloc 128
    13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "chunk-prealloc": 250
    13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "zero-copy-size": 128
    13/4/2016 -- 23:25:15 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
    13/4/2016 -- 23:25:15 - <info> -- preallocated 1000 ippairs of size 104
    13/4/2016 -- 23:25:15 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
    13/4/2016 -- 23:25:15 - <info> -- using magic-file /usr/share/misc/magic
    13/4/2016 -- 23:25:15 - <info> -- Delayed detect disabled
    13/4/2016 -- 23:25:15 - <info> -- IP reputation disabled
    13/4/2016 -- 23:25:15 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules
    13/4/2016 -- 23:25:15 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:15 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1517
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1571
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1617
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1681
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1804
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1826
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1840
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1841
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1854
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1992
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1997
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2048
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2049
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2050
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2051
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2052
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2170
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2171
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2254
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2259
    13/4/2016 -- 23:25:25 - <warning> -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use 'replace' keyword in non IPS mode: alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 17 24 47 50 00|"; within:6; distance:2; replace:"|00 00 00 00 00 00|"; metadata:service teamview; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24098; rev:2;)
    13/4/2016 -- 23:25:26 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    13/4/2016 -- 23:25:26 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"</error></error></warning></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
    


  • All of those "SC_ERR_INVALID_SIGNATURE" errors are just Suricata complaining about keywords and rule options in Snort VRT rules that Suricata cannot interpret.  This is expected when using the Snort VRT rules package with Suricata.  Those errors are harmless in that they do not prevent Suricata from starting up; however, they do mean those particular rules are not getting loaded and thus are never being used to inspect traffic.  So from that point of view the network security is reduced.

    I'm still confused by the title of your thread.  It says "SNORT" but your logs are all Suricata.  Which package are you really running?  I assume Suricata ???  If so, then post the end of the Suricata log (you can skip all the rule parsing errors and just post the stuff after that).

    Bill



  • Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there.  I know those errors are not related to my problem, but i thought someone could find something usefull there.  I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.


  • Moderator

    @waves:

    Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there.  I know those errors are not related to my problem, but i thought someone could find something usefull there.  I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.

    Hey we all have rough days, but just remember that Bill maintains the Snort and Suricata packages on his own time, and everyone here benefits from it…  It would be really great if more people participated in the testing/development phase, instead of waiting on a final polished version. Also keep in mind that you will see new Snort/Suricata package features in pfSense 2.3 that might never get ported back to 2.2. Some food for thought...



  • There are a handful of known issues in the current Suricata GUI package for pfSense 2.3.  I have all of those but one fixed in the code version I'm working on.  That last remaining issue to make the rules update download process a little more user-friendly by providing some visual feedback of progress.  I've said this in other posts, but internal changes in pfSense as a result of the Bootstrap migration made some of the system API calls I was using to show rules download progress no longer function the same.  I'm trying to come up with a viable workaround.

    I would be interested in learning more about your specific problem if you can take the time to try 2.3 again in the near future.

    Bill



  • This is my first post.  8)  I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6.  All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically.  I've reinstalled it several times, and I didn't have this issue with any previous version.



  • @PF64:

    This is my first post.  8)  I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6.  All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically.  I've reinstalled it several times, and I didn't have this issue with any previous version.

    You will need to post some log data.  Post the suricata.log file from the interface where Suricata runs (it will be in /var/log/suricata/xxx (where xxx is the interface combined with a GUID).  Also post any relevant messages, if any, from the pfSense system log from around the time of the crash.

    Bill



  • There wasn't anything Suricata related in the system log that was odd. I will note I have OpenVPN setup for PIA VPN, not sure if that could cause issue.

    14/4/2016 -- 20:11:55 - <notice> -- This is Suricata version 3.0 RELEASE
    14/4/2016 -- 20:11:55 - <info> -- CPUs/cores online: 12
    14/4/2016 -- 20:11:55 - <info> -- Adding interface em0 from config file
    14/4/2016 -- 20:11:55 - <info> -- Adding interface em0+ from config file
    14/4/2016 -- 20:11:55 - <info> -- Netmap: Setting IPS mode
    14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
    14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
    14/4/2016 -- 20:11:55 - <info> -- HTTP memcap: 67108864
    14/4/2016 -- 20:11:55 - <info> -- DNS request flood protection level: 500
    14/4/2016 -- 20:11:55 - <info> -- DNS per flow memcap (state-memcap): 524288
    14/4/2016 -- 20:11:55 - <info> -- DNS global memcap: 16777216
    14/4/2016 -- 20:11:55 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
    14/4/2016 -- 20:11:55 - <info> -- preallocated 65535 defrag trackers of size 136
    14/4/2016 -- 20:11:55 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
    14/4/2016 -- 20:11:55 - <info> -- AutoFP mode using "Active Packets" flow load balancer
    14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
    14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 hosts of size 104
    14/4/2016 -- 20:11:55 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
    14/4/2016 -- 20:11:55 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
    14/4/2016 -- 20:11:55 - <info> -- preallocated 10000 flows of size 256
    14/4/2016 -- 20:11:55 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
    14/4/2016 -- 20:11:55 - <info> -- stream "prealloc-sessions": 32768 (per thread)
    14/4/2016 -- 20:11:55 - <info> -- stream "memcap": 67108864
    14/4/2016 -- 20:11:55 - <info> -- stream "midstream" session pickups: disabled
    14/4/2016 -- 20:11:55 - <info> -- stream "async-oneside": disabled
    14/4/2016 -- 20:11:55 - <info> -- stream "checksum-validation": disabled
    14/4/2016 -- 20:11:55 - <info> -- stream."inline": enabled
    14/4/2016 -- 20:11:55 - <info> -- stream "max-synack-queued": 5
    14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "memcap": 67108864
    14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "depth": 0
    14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toserver-chunk-size": 2448
    14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toclient-chunk-size": 2673
    14/4/2016 -- 20:11:55 - <info> -- stream.reassembly.raw: enabled
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 4, prealloc 256
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 16, prealloc 512
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 112, prealloc 512
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 248, prealloc 512
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 512, prealloc 512
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 768, prealloc 1024
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 1448, prealloc 1024
    14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 65535, prealloc 128
    14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "chunk-prealloc": 250
    14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "zero-copy-size": 128
    14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
    14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 ippairs of size 104
    14/4/2016 -- 20:11:55 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
    14/4/2016 -- 20:11:55 - <info> -- using magic-file /usr/share/misc/magic
    14/4/2016 -- 20:11:55 - <info> -- Delayed detect disabled
    14/4/2016 -- 20:11:55 - <info> -- IP reputation disabled
    14/4/2016 -- 20:11:55 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/suricata.rules
    14/4/2016 -- 20:12:21 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/flowbit-required.rules
    14/4/2016 -- 20:12:21 - <info> -- 2 rule files processed. 17472 rules successfully loaded, 0 rules failed
    14/4/2016 -- 20:12:22 - <info> -- 17478 signatures processed. 1059 are IP-only rules, 5082 are inspecting packet payload, 13517 inspect application layer, 76 are decoder event only
    14/4/2016 -- 20:12:22 - <info> -- building signature grouping structure, stage 1: preprocessing rules... complete
    14/4/2016 -- 20:12:23 - <info> -- building signature grouping structure, stage 2: building source address list... complete
    14/4/2016 -- 20:12:44 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
    14/4/2016 -- 20:12:49 - <info> -- Threshold config parsed: 0 rule(s) found
    14/4/2016 -- 20:12:50 - <info> -- Core dump size is unlimited.
    14/4/2016 -- 20:12:50 - <info> -- fast output device (regular) initialized: alerts.log
    14/4/2016 -- 20:12:50 - <info> -- http-log output device (regular) initialized: http.log
    14/4/2016 -- 20:12:50 - <info> -- Syslog output initialized
    14/4/2016 -- 20:12:50 - <info> -- Using 2 live device(s).
    14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0
    14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0->em0+
    14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
    14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0+
    14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0+->em0
    14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    14/4/2016 -- 20:12:50 - <info> -- RunModeIdsNetmapAutoFp initialised
    14/4/2016 -- 20:12:50 - <info> -- using 1 flow manager threads
    14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
    14/4/2016 -- 20:12:50 - <info> -- using 1 flow recycler threads
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect11" closed on initialization.
    14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</error></error></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
    


  • Increase stream memory cap and try  :)



  • Thank you!!! That worked!  8)

    It's hard to tell how much I need, but i just increased it from 64MB to 128MB.

    For those looking to find the setting in version 2.3 its, Services > Suricata > Interfaces > Pencil Edit Icon under Actions > LAN Flow/Stream > Stream Memory Cap



  • Darn it!  I thought I had the Stream Memory Cap default set large enough, but apparently not true in all situations.

    Bill