Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata not working!

    Scheduled Pinned Locked Moved IDS/IPS
    15 Posts 6 Posters 7.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      waves
      last edited by

      I did the update today. Wish i didn't. :(  Snort doesn't work anymore ( i can't even download the rules) and i have all my network exposed to external attacks. Can't go back to the old working version.

      Also, the new interface is…  geez, crap. The ergonomy is a lot minimized. Anyone can help me go back to the old version? Before doing the update i made a full back-up from the update interface, but now i can't find any back-up. :((  I have a lot of critical servers, includind VoIP and GPS servers behind the firewall and i'm totally exposed now.

      Bellow is some errors from suricata logs.

      P.S. Yeah, i know i should't have done this update without a strong back-up in production enviroment, but i've trusted to much the pfSense development team. :(  Learnt my lesson.

      13/4/2016 -- 16:09:30 - <notice> -- This is Suricata version 3.0 RELEASE
13/4/2016 -- 16:09:30 - <info> -- CPUs/cores online: 4
13/4/2016 -- 16:09:30 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
13/4/2016 -- 16:09:30 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
13/4/2016 -- 16:09:30 - <info> -- HTTP memcap: 67108864
13/4/2016 -- 16:09:30 - <info> -- DNS request flood protection level: 500
13/4/2016 -- 16:09:30 - <info> -- DNS per flow memcap (state-memcap): 524288
13/4/2016 -- 16:09:30 - <info> -- DNS global memcap: 16777216
13/4/2016 -- 16:09:30 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
13/4/2016 -- 16:09:30 - <info> -- preallocated 65535 defrag trackers of size 136
13/4/2016 -- 16:09:30 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
13/4/2016 -- 16:09:30 - <info> -- AutoFP mode using "Active Packets" flow load balancer
13/4/2016 -- 16:09:30 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
13/4/2016 -- 16:09:30 - <info> -- preallocated 1000 hosts of size 104
13/4/2016 -- 16:09:30 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
13/4/2016 -- 16:09:30 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
13/4/2016 -- 16:09:30 - <info> -- preallocated 10000 flows of size 256
13/4/2016 -- 16:09:30 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
13/4/2016 -- 16:09:30 - <info> -- stream "prealloc-sessions": 32768 (per thread)
13/4/2016 -- 16:09:30 - <info> -- stream "memcap": 67108864
13/4/2016 -- 16:09:30 - <info> -- stream "midstream" session pickups: disabled
13/4/2016 -- 16:09:30 - <info> -- stream "async-oneside": disabled
13/4/2016 -- 16:09:30 - <info> -- stream "checksum-validation": disabled
13/4/2016 -- 16:09:30 - <info> -- stream."inline": disabled
13/4/2016 -- 16:09:30 - <info> -- stream "max-synack-queued": 5
13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "memcap": 67108864
13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "depth": 0
13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "toserver-chunk-size": 2582
13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "toclient-chunk-size": 2672
13/4/2016 -- 16:09:30 - <info> -- stream.reassembly.raw: enabled
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 4, prealloc 256
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 16, prealloc 512
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 112, prealloc 512
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 248, prealloc 512
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 512, prealloc 512
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 768, prealloc 1024
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 1448, prealloc 1024
13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 65535, prealloc 128
13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "chunk-prealloc": 250
13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "zero-copy-size": 128
13/4/2016 -- 16:09:30 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
13/4/2016 -- 16:09:30 - <info> -- preallocated 1000 ippairs of size 104
13/4/2016 -- 16:09:30 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
13/4/2016 -- 16:09:30 - <info> -- using magic-file /usr/share/misc/magic
13/4/2016 -- 16:09:30 - <info> -- Delayed detect disabled
13/4/2016 -- 16:09:30 - <info> -- IP reputation disabled
13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/etc/suricata/suricata_60609_em2/classification.config": No such file or directory
13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file
13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/etc/suricata/suricata_60609_em2/reference.config": No such file or directory
13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file
13/4/2016 -- 16:09:30 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_60609_em2/rules/
13/4/2016 -- 16:09:30 - <warning> -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/local/etc/suricata/suricata_60609_em2/rules/
13/4/2016 -- 16:09:30 - <warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
13/4/2016 -- 16:09:30 - <info> -- 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 1: preprocessing rules... complete
13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 2: building source address list... complete
13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
13/4/2016 -- 16:09:30 - <info> -- Threshold config parsed: 0 rule(s) found
13/4/2016 -- 16:09:30 - <info> -- Core dump size is unlimited.
13/4/2016 -- 16:09:30 - <info> -- fast output device (regular) initialized: alerts.log
13/4/2016 -- 16:09:30 - <info> -- http-log output device (regular) initialized: http.log
13/4/2016 -- 16:09:30 - <info> -- Syslog output initialized
13/4/2016 -- 16:09:30 - <info> -- Using 1 live device(s).
13/4/2016 -- 16:09:30 - <info> -- preallocated 8192 packets. Total memory 28459008
13/4/2016 -- 16:09:30 - <info> -- using interface em2
13/4/2016 -- 16:09:30 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
13/4/2016 -- 16:09:30 - <info> -- Found an MTU of 1500 for 'em2'
13/4/2016 -- 16:09:30 - <info> -- Set snaplen to 1516 for 'em2'
13/4/2016 -- 16:09:30 - <info> -- RunModeIdsPcapAutoFp initialised
13/4/2016 -- 16:09:30 - <info> -- using 1 flow manager threads
13/4/2016 -- 16:09:30 - <info> -- preallocated 8192 packets. Total memory 28459008
13/4/2016 -- 16:09:30 - <info> -- using 1 flow recycler threads
13/4/2016 -- 16:09:30 - <notice> -- all 7 packet processing threads, 2 management threads initialized, engine started.
13/4/2016 -- 16:09:30 - <info> -- No packets with invalid checksum, assuming checksum offloading is NOT used
13/4/2016 -- 16:17:46 - <notice> -- Signal Received.  Stopping engine.
13/4/2016 -- 16:17:46 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
13/4/2016 -- 16:17:46 - <info> -- preallocated 8192 packets. Total memory 28459008
13/4/2016 -- 16:17:46 - <info> -- time elapsed 496.091s
13/4/2016 -- 16:17:46 - <info> -- 3776 flows processed
13/4/2016 -- 16:17:46 - <info> -- (RxPcapem21) Packets 5304731, bytes 4863890373
13/4/2016 -- 16:17:46 - <info> -- (RxPcapem21) Pcap Total:5305854 Recv:5305854 Drop:0 (0.0%).
13/4/2016 -- 16:17:46 - <info> -- AutoFP - Total flow handler queues - 6
13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 0  - pkts: 4148832      flows: 2839        
13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 1  - pkts: 1145824      flows: 864         
13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 2  - pkts: 7843         flows: 73          
13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 3  - pkts: 745          flows: 0           
13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 4  - pkts: 745          flows: 0           
13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 5  - pkts: 745          flows: 0           
13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 4119509 TCP packets
13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
13/4/2016 -- 16:17:46 - <info> -- (Detect1) Alerts 0
13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 136 requests
13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 1144455 TCP packets
13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
13/4/2016 -- 16:17:46 - <info> -- (Detect2) Alerts 0
13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 446 requests
13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 7061 TCP packets
13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
13/4/2016 -- 16:17:46 - <info> -- (Detect3) Alerts 0
13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 5 requests
13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
13/4/2016 -- 16:17:46 - <info> -- (Detect4) Alerts 0
13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
13/4/2016 -- 16:17:46 - <info> -- (Detect5) Alerts 0
13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
13/4/2016 -- 16:17:46 - <info> -- (Detect6) Alerts 0
13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
13/4/2016 -- 16:17:46 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 4 had a peak use of 467 segments, more than the prealloc setting of 256
13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 112 had a peak use of 1661 segments, more than the prealloc setting of 512
13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 65535 had a peak use of 254 segments, more than the prealloc setting of 128
13/4/2016 -- 16:17:46 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
13/4/2016 -- 16:17:46 - <info> -- cleaning up signature grouping structure... complete
13/4/2016 -- 16:17:46 - <notice> -- Stats for 'em2':  pkts: 5304731, drop: 0 (0.00%), invalid chksum: 0</notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
      1 Reply Last reply Reply Quote 0
      • V
        vbentley
        last edited by

        I don't know if this still works in 2.3, but I have found that reinstalling packages from the console often fixes them.
        https://forum.pfsense.org/index.php?topic=92577.msg513026#msg513026

        I had to use the same technique today with snort after reinstalling 2.2.6 and restoring my backup.

        Trademark Attribution and Credit
        pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

        1 Reply Last reply Reply Quote 0
        • W
          waves
          last edited by

          I have already tried that. I can download the rules now, but the snort still doesn't work. Because i'm in a f*****g production enviroment i must find another solution quicik. Most probably i will go back to the old version of pfsense,

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @waves:

            I have already tried that. I can download the rules now, but the snort still doesn't work. Because i'm in a f*****g production enviroment i must find another solution quicik. Most probably i will go back to the old version of pfsense,

            Your post says "Snort not working" yet you posted logs of Suricata starting up.  Which are you actually trying to utilize?

            Try going to the UPDATES tab and clicking FORCE to force an update.  Let it sit there for several minutes!  Do not navigate away from the page (not even after the little modal dialog disappears).  Just let it sit there for maybe 3 or 4 minutes.  Then click the button to view the log file.  Post any errors you see there back here.  I'm betting that if you let it sit long enough on the UPDATES tab, you will get the rules.

            Bill

            1 Reply Last reply Reply Quote 0
            • W
              waves
              last edited by

              The rules are downloading at a point as i said, but the suricata doesn't work. No detection, no blocking, no alerts.  Deleted the package, reinstallled, without success. Unfortunately, as i did mention above i'm in a production enviroment. I wish i had time to investigate this issue, but i'm working hard to go back on 2.2.6 and restore a full back-up. I'm feeling (and i am) like a complete idiot for deploying this new version of pfsense in a productions enviroment without waiting a couple of months.

              As for the logs, that's all what i had in suricata.log after the update.

              Bellow is a more recent suricata.log Anyway, most of the errors doesn't relate with the malfunction of the Suricata.

              13/4/2016 -- 23:25:15 - <notice> -- This is Suricata version 3.0 RELEASE
13/4/2016 -- 23:25:15 - <info> -- CPUs/cores online: 4
13/4/2016 -- 23:25:15 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
13/4/2016 -- 23:25:15 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
13/4/2016 -- 23:25:15 - <info> -- HTTP memcap: 67108864
13/4/2016 -- 23:25:15 - <info> -- DNS request flood protection level: 500
13/4/2016 -- 23:25:15 - <info> -- DNS per flow memcap (state-memcap): 524288
13/4/2016 -- 23:25:15 - <info> -- DNS global memcap: 16777216
13/4/2016 -- 23:25:15 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
13/4/2016 -- 23:25:15 - <info> -- preallocated 65535 defrag trackers of size 136
13/4/2016 -- 23:25:15 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
13/4/2016 -- 23:25:15 - <info> -- AutoFP mode using "Active Packets" flow load balancer
13/4/2016 -- 23:25:15 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
13/4/2016 -- 23:25:15 - <info> -- preallocated 1000 hosts of size 104
13/4/2016 -- 23:25:15 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
13/4/2016 -- 23:25:15 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
13/4/2016 -- 23:25:15 - <info> -- preallocated 10000 flows of size 256
13/4/2016 -- 23:25:15 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
13/4/2016 -- 23:25:15 - <info> -- stream "prealloc-sessions": 32768 (per thread)
13/4/2016 -- 23:25:15 - <info> -- stream "memcap": 67108864
13/4/2016 -- 23:25:15 - <info> -- stream "midstream" session pickups: disabled
13/4/2016 -- 23:25:15 - <info> -- stream "async-oneside": disabled
13/4/2016 -- 23:25:15 - <info> -- stream "checksum-validation": disabled
13/4/2016 -- 23:25:15 - <info> -- stream."inline": disabled
13/4/2016 -- 23:25:15 - <info> -- stream "max-synack-queued": 5
13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "memcap": 67108864
13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "depth": 0
13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "toserver-chunk-size": 2669
13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "toclient-chunk-size": 2638
13/4/2016 -- 23:25:15 - <info> -- stream.reassembly.raw: enabled
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 4, prealloc 256
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 16, prealloc 512
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 112, prealloc 512
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 248, prealloc 512
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 512, prealloc 512
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 768, prealloc 1024
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 1448, prealloc 1024
13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 65535, prealloc 128
13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "chunk-prealloc": 250
13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "zero-copy-size": 128
13/4/2016 -- 23:25:15 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
13/4/2016 -- 23:25:15 - <info> -- preallocated 1000 ippairs of size 104
13/4/2016 -- 23:25:15 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
13/4/2016 -- 23:25:15 - <info> -- using magic-file /usr/share/misc/magic
13/4/2016 -- 23:25:15 - <info> -- Delayed detect disabled
13/4/2016 -- 23:25:15 - <info> -- IP reputation disabled
13/4/2016 -- 23:25:15 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules
13/4/2016 -- 23:25:15 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:15 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1517
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1571
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1617
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1681
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1804
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1826
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1840
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1841
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1854
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1992
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1997
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2048
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2049
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2050
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2051
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2052
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2170
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2171
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2254
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2259
13/4/2016 -- 23:25:25 - <warning> -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use 'replace' keyword in non IPS mode: alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 17 24 47 50 00|"; within:6; distance:2; replace:"|00 00 00 00 00 00|"; metadata:service teamview; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24098; rev:2;)
13/4/2016 -- 23:25:26 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13/4/2016 -- 23:25:26 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"</error></error></warning></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                All of those "SC_ERR_INVALID_SIGNATURE" errors are just Suricata complaining about keywords and rule options in Snort VRT rules that Suricata cannot interpret.  This is expected when using the Snort VRT rules package with Suricata.  Those errors are harmless in that they do not prevent Suricata from starting up; however, they do mean those particular rules are not getting loaded and thus are never being used to inspect traffic.  So from that point of view the network security is reduced.

                I'm still confused by the title of your thread.  It says "SNORT" but your logs are all Suricata.  Which package are you really running?  I assume Suricata ???  If so, then post the end of the Suricata log (you can skip all the rule parsing errors and just post the stuff after that).

                Bill

                1 Reply Last reply Reply Quote 0
                • W
                  waves
                  last edited by

                  Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there.  I know those errors are not related to my problem, but i thought someone could find something usefull there.  I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @waves:

                    Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there.  I know those errors are not related to my problem, but i thought someone could find something usefull there.  I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.

                    Hey we all have rough days, but just remember that Bill maintains the Snort and Suricata packages on his own time, and everyone here benefits from it…  It would be really great if more people participated in the testing/development phase, instead of waiting on a final polished version. Also keep in mind that you will see new Snort/Suricata package features in pfSense 2.3 that might never get ported back to 2.2. Some food for thought...

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      There are a handful of known issues in the current Suricata GUI package for pfSense 2.3.  I have all of those but one fixed in the code version I'm working on.  That last remaining issue to make the rules update download process a little more user-friendly by providing some visual feedback of progress.  I've said this in other posts, but internal changes in pfSense as a result of the Bootstrap migration made some of the system API calls I was using to show rules download progress no longer function the same.  I'm trying to come up with a viable workaround.

                      I would be interested in learning more about your specific problem if you can take the time to try 2.3 again in the near future.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • P
                        PF64
                        last edited by

                        This is my first post.  8)  I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6.  All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically.  I've reinstalled it several times, and I didn't have this issue with any previous version.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @PF64:

                          This is my first post.  8)  I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6.  All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically.  I've reinstalled it several times, and I didn't have this issue with any previous version.

                          You will need to post some log data.  Post the suricata.log file from the interface where Suricata runs (it will be in /var/log/suricata/xxx (where xxx is the interface combined with a GUID).  Also post any relevant messages, if any, from the pfSense system log from around the time of the crash.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • P
                            PF64
                            last edited by

                            There wasn't anything Suricata related in the system log that was odd. I will note I have OpenVPN setup for PIA VPN, not sure if that could cause issue.

                            14/4/2016 -- 20:11:55 - <notice> -- This is Suricata version 3.0 RELEASE
14/4/2016 -- 20:11:55 - <info> -- CPUs/cores online: 12
14/4/2016 -- 20:11:55 - <info> -- Adding interface em0 from config file
14/4/2016 -- 20:11:55 - <info> -- Adding interface em0+ from config file
14/4/2016 -- 20:11:55 - <info> -- Netmap: Setting IPS mode
14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
14/4/2016 -- 20:11:55 - <info> -- HTTP memcap: 67108864
14/4/2016 -- 20:11:55 - <info> -- DNS request flood protection level: 500
14/4/2016 -- 20:11:55 - <info> -- DNS per flow memcap (state-memcap): 524288
14/4/2016 -- 20:11:55 - <info> -- DNS global memcap: 16777216
14/4/2016 -- 20:11:55 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
14/4/2016 -- 20:11:55 - <info> -- preallocated 65535 defrag trackers of size 136
14/4/2016 -- 20:11:55 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
14/4/2016 -- 20:11:55 - <info> -- AutoFP mode using "Active Packets" flow load balancer
14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 hosts of size 104
14/4/2016 -- 20:11:55 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
14/4/2016 -- 20:11:55 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
14/4/2016 -- 20:11:55 - <info> -- preallocated 10000 flows of size 256
14/4/2016 -- 20:11:55 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
14/4/2016 -- 20:11:55 - <info> -- stream "prealloc-sessions": 32768 (per thread)
14/4/2016 -- 20:11:55 - <info> -- stream "memcap": 67108864
14/4/2016 -- 20:11:55 - <info> -- stream "midstream" session pickups: disabled
14/4/2016 -- 20:11:55 - <info> -- stream "async-oneside": disabled
14/4/2016 -- 20:11:55 - <info> -- stream "checksum-validation": disabled
14/4/2016 -- 20:11:55 - <info> -- stream."inline": enabled
14/4/2016 -- 20:11:55 - <info> -- stream "max-synack-queued": 5
14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "memcap": 67108864
14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "depth": 0
14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toserver-chunk-size": 2448
14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toclient-chunk-size": 2673
14/4/2016 -- 20:11:55 - <info> -- stream.reassembly.raw: enabled
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 4, prealloc 256
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 16, prealloc 512
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 112, prealloc 512
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 248, prealloc 512
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 512, prealloc 512
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 768, prealloc 1024
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 1448, prealloc 1024
14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 65535, prealloc 128
14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "chunk-prealloc": 250
14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "zero-copy-size": 128
14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 ippairs of size 104
14/4/2016 -- 20:11:55 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
14/4/2016 -- 20:11:55 - <info> -- using magic-file /usr/share/misc/magic
14/4/2016 -- 20:11:55 - <info> -- Delayed detect disabled
14/4/2016 -- 20:11:55 - <info> -- IP reputation disabled
14/4/2016 -- 20:11:55 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/suricata.rules
14/4/2016 -- 20:12:21 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/flowbit-required.rules
14/4/2016 -- 20:12:21 - <info> -- 2 rule files processed. 17472 rules successfully loaded, 0 rules failed
14/4/2016 -- 20:12:22 - <info> -- 17478 signatures processed. 1059 are IP-only rules, 5082 are inspecting packet payload, 13517 inspect application layer, 76 are decoder event only
14/4/2016 -- 20:12:22 - <info> -- building signature grouping structure, stage 1: preprocessing rules... complete
14/4/2016 -- 20:12:23 - <info> -- building signature grouping structure, stage 2: building source address list... complete
14/4/2016 -- 20:12:44 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
14/4/2016 -- 20:12:49 - <info> -- Threshold config parsed: 0 rule(s) found
14/4/2016 -- 20:12:50 - <info> -- Core dump size is unlimited.
14/4/2016 -- 20:12:50 - <info> -- fast output device (regular) initialized: alerts.log
14/4/2016 -- 20:12:50 - <info> -- http-log output device (regular) initialized: http.log
14/4/2016 -- 20:12:50 - <info> -- Syslog output initialized
14/4/2016 -- 20:12:50 - <info> -- Using 2 live device(s).
14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0
14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0->em0+
14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0+
14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0+->em0
14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
14/4/2016 -- 20:12:50 - <info> -- RunModeIdsNetmapAutoFp initialised
14/4/2016 -- 20:12:50 - <info> -- using 1 flow manager threads
14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
14/4/2016 -- 20:12:50 - <info> -- using 1 flow recycler threads
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect11" closed on initialization.
14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</error></error></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
                            1 Reply Last reply Reply Quote 0
                            • N
                              ntct
                              last edited by

                              Increase stream memory cap and try  :)

                              1 Reply Last reply Reply Quote 0
                              • P
                                PF64
                                last edited by

                                Thank you!!! That worked!  8)

                                It's hard to tell how much I need, but i just increased it from 64MB to 128MB.

                                For those looking to find the setting in version 2.3 its, Services > Suricata > Interfaces > Pencil Edit Icon under Actions > LAN Flow/Stream > Stream Memory Cap

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  Darn it!  I thought I had the Stream Memory Cap default set large enough, but apparently not true in all situations.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.