Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata not working!

    Scheduled Pinned Locked Moved IDS/IPS
    15 Posts 6 Posters 7.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      waves
      last edited by

      I did the update today. Wish i didn't. :(  Snort doesn't work anymore ( i can't even download the rules) and i have all my network exposed to external attacks. Can't go back to the old working version.

      Also, the new interface is…  geez, crap. The ergonomy is a lot minimized. Anyone can help me go back to the old version? Before doing the update i made a full back-up from the update interface, but now i can't find any back-up. :((  I have a lot of critical servers, includind VoIP and GPS servers behind the firewall and i'm totally exposed now.

      Bellow is some errors from suricata logs.

      P.S. Yeah, i know i should't have done this update without a strong back-up in production enviroment, but i've trusted to much the pfSense development team. :(  Learnt my lesson.

      13/4/2016 -- 16:09:30 - <notice> -- This is Suricata version 3.0 RELEASE
      13/4/2016 -- 16:09:30 - <info> -- CPUs/cores online: 4
      13/4/2016 -- 16:09:30 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
      13/4/2016 -- 16:09:30 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
      13/4/2016 -- 16:09:30 - <info> -- HTTP memcap: 67108864
      13/4/2016 -- 16:09:30 - <info> -- DNS request flood protection level: 500
      13/4/2016 -- 16:09:30 - <info> -- DNS per flow memcap (state-memcap): 524288
      13/4/2016 -- 16:09:30 - <info> -- DNS global memcap: 16777216
      13/4/2016 -- 16:09:30 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
      13/4/2016 -- 16:09:30 - <info> -- preallocated 65535 defrag trackers of size 136
      13/4/2016 -- 16:09:30 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
      13/4/2016 -- 16:09:30 - <info> -- AutoFP mode using "Active Packets" flow load balancer
      13/4/2016 -- 16:09:30 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
      13/4/2016 -- 16:09:30 - <info> -- preallocated 1000 hosts of size 104
      13/4/2016 -- 16:09:30 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
      13/4/2016 -- 16:09:30 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
      13/4/2016 -- 16:09:30 - <info> -- preallocated 10000 flows of size 256
      13/4/2016 -- 16:09:30 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
      13/4/2016 -- 16:09:30 - <info> -- stream "prealloc-sessions": 32768 (per thread)
      13/4/2016 -- 16:09:30 - <info> -- stream "memcap": 67108864
      13/4/2016 -- 16:09:30 - <info> -- stream "midstream" session pickups: disabled
      13/4/2016 -- 16:09:30 - <info> -- stream "async-oneside": disabled
      13/4/2016 -- 16:09:30 - <info> -- stream "checksum-validation": disabled
      13/4/2016 -- 16:09:30 - <info> -- stream."inline": disabled
      13/4/2016 -- 16:09:30 - <info> -- stream "max-synack-queued": 5
      13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "memcap": 67108864
      13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "depth": 0
      13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "toserver-chunk-size": 2582
      13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "toclient-chunk-size": 2672
      13/4/2016 -- 16:09:30 - <info> -- stream.reassembly.raw: enabled
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 4, prealloc 256
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 16, prealloc 512
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 112, prealloc 512
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 248, prealloc 512
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 512, prealloc 512
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 768, prealloc 1024
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 1448, prealloc 1024
      13/4/2016 -- 16:09:30 - <info> -- segment pool: pktsize 65535, prealloc 128
      13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "chunk-prealloc": 250
      13/4/2016 -- 16:09:30 - <info> -- stream.reassembly "zero-copy-size": 128
      13/4/2016 -- 16:09:30 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
      13/4/2016 -- 16:09:30 - <info> -- preallocated 1000 ippairs of size 104
      13/4/2016 -- 16:09:30 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
      13/4/2016 -- 16:09:30 - <info> -- using magic-file /usr/share/misc/magic
      13/4/2016 -- 16:09:30 - <info> -- Delayed detect disabled
      13/4/2016 -- 16:09:30 - <info> -- IP reputation disabled
      13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/etc/suricata/suricata_60609_em2/classification.config": No such file or directory
      13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file
      13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/etc/suricata/suricata_60609_em2/reference.config": No such file or directory
      13/4/2016 -- 16:09:30 - <error> -- [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file
      13/4/2016 -- 16:09:30 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_60609_em2/rules/
      13/4/2016 -- 16:09:30 - <warning> -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/local/etc/suricata/suricata_60609_em2/rules/
      13/4/2016 -- 16:09:30 - <warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
      13/4/2016 -- 16:09:30 - <info> -- 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
      13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 1: preprocessing rules... complete
      13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 2: building source address list... complete
      13/4/2016 -- 16:09:30 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
      13/4/2016 -- 16:09:30 - <info> -- Threshold config parsed: 0 rule(s) found
      13/4/2016 -- 16:09:30 - <info> -- Core dump size is unlimited.
      13/4/2016 -- 16:09:30 - <info> -- fast output device (regular) initialized: alerts.log
      13/4/2016 -- 16:09:30 - <info> -- http-log output device (regular) initialized: http.log
      13/4/2016 -- 16:09:30 - <info> -- Syslog output initialized
      13/4/2016 -- 16:09:30 - <info> -- Using 1 live device(s).
      13/4/2016 -- 16:09:30 - <info> -- preallocated 8192 packets. Total memory 28459008
      13/4/2016 -- 16:09:30 - <info> -- using interface em2
      13/4/2016 -- 16:09:30 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
      13/4/2016 -- 16:09:30 - <info> -- Found an MTU of 1500 for 'em2'
      13/4/2016 -- 16:09:30 - <info> -- Set snaplen to 1516 for 'em2'
      13/4/2016 -- 16:09:30 - <info> -- RunModeIdsPcapAutoFp initialised
      13/4/2016 -- 16:09:30 - <info> -- using 1 flow manager threads
      13/4/2016 -- 16:09:30 - <info> -- preallocated 8192 packets. Total memory 28459008
      13/4/2016 -- 16:09:30 - <info> -- using 1 flow recycler threads
      13/4/2016 -- 16:09:30 - <notice> -- all 7 packet processing threads, 2 management threads initialized, engine started.
      13/4/2016 -- 16:09:30 - <info> -- No packets with invalid checksum, assuming checksum offloading is NOT used
      13/4/2016 -- 16:17:46 - <notice> -- Signal Received.  Stopping engine.
      13/4/2016 -- 16:17:46 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
      13/4/2016 -- 16:17:46 - <info> -- preallocated 8192 packets. Total memory 28459008
      13/4/2016 -- 16:17:46 - <info> -- time elapsed 496.091s
      13/4/2016 -- 16:17:46 - <info> -- 3776 flows processed
      13/4/2016 -- 16:17:46 - <info> -- (RxPcapem21) Packets 5304731, bytes 4863890373
      13/4/2016 -- 16:17:46 - <info> -- (RxPcapem21) Pcap Total:5305854 Recv:5305854 Drop:0 (0.0%).
      13/4/2016 -- 16:17:46 - <info> -- AutoFP - Total flow handler queues - 6
      13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 0  - pkts: 4148832      flows: 2839        
      13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 1  - pkts: 1145824      flows: 864         
      13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 2  - pkts: 7843         flows: 73          
      13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 3  - pkts: 745          flows: 0           
      13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 4  - pkts: 745          flows: 0           
      13/4/2016 -- 16:17:46 - <info> -- AutoFP - Queue 5  - pkts: 745          flows: 0           
      13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 4119509 TCP packets
      13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
      13/4/2016 -- 16:17:46 - <info> -- (Detect1) Alerts 0
      13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 136 requests
      13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 1144455 TCP packets
      13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
      13/4/2016 -- 16:17:46 - <info> -- (Detect2) Alerts 0
      13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 446 requests
      13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 7061 TCP packets
      13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
      13/4/2016 -- 16:17:46 - <info> -- (Detect3) Alerts 0
      13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 5 requests
      13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
      13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
      13/4/2016 -- 16:17:46 - <info> -- (Detect4) Alerts 0
      13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
      13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
      13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
      13/4/2016 -- 16:17:46 - <info> -- (Detect5) Alerts 0
      13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
      13/4/2016 -- 16:17:46 - <info> -- Stream TCP processed 0 TCP packets
      13/4/2016 -- 16:17:46 - <info> -- Fast log output wrote 0 alerts
      13/4/2016 -- 16:17:46 - <info> -- (Detect6) Alerts 0
      13/4/2016 -- 16:17:46 - <info> -- HTTP logger logged 0 requests
      13/4/2016 -- 16:17:46 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
      13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 4 had a peak use of 467 segments, more than the prealloc setting of 256
      13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 112 had a peak use of 1661 segments, more than the prealloc setting of 512
      13/4/2016 -- 16:17:46 - <info> -- TCP segment pool of size 65535 had a peak use of 254 segments, more than the prealloc setting of 128
      13/4/2016 -- 16:17:46 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
      13/4/2016 -- 16:17:46 - <info> -- cleaning up signature grouping structure... complete
      13/4/2016 -- 16:17:46 - <notice> -- Stats for 'em2':  pkts: 5304731, drop: 0 (0.00%), invalid chksum: 0</notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></warning></warning></info></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
      
      1 Reply Last reply Reply Quote 0
      • V
        vbentley
        last edited by

        I don't know if this still works in 2.3, but I have found that reinstalling packages from the console often fixes them.
        https://forum.pfsense.org/index.php?topic=92577.msg513026#msg513026

        I had to use the same technique today with snort after reinstalling 2.2.6 and restoring my backup.

        Trademark Attribution and Credit
        pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

        1 Reply Last reply Reply Quote 0
        • W
          waves
          last edited by

          I have already tried that. I can download the rules now, but the snort still doesn't work. Because i'm in a f*****g production enviroment i must find another solution quicik. Most probably i will go back to the old version of pfsense,

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @waves:

            I have already tried that. I can download the rules now, but the snort still doesn't work. Because i'm in a f*****g production enviroment i must find another solution quicik. Most probably i will go back to the old version of pfsense,

            Your post says "Snort not working" yet you posted logs of Suricata starting up.  Which are you actually trying to utilize?

            Try going to the UPDATES tab and clicking FORCE to force an update.  Let it sit there for several minutes!  Do not navigate away from the page (not even after the little modal dialog disappears).  Just let it sit there for maybe 3 or 4 minutes.  Then click the button to view the log file.  Post any errors you see there back here.  I'm betting that if you let it sit long enough on the UPDATES tab, you will get the rules.

            Bill

            1 Reply Last reply Reply Quote 0
            • W
              waves
              last edited by

              The rules are downloading at a point as i said, but the suricata doesn't work. No detection, no blocking, no alerts.  Deleted the package, reinstallled, without success. Unfortunately, as i did mention above i'm in a production enviroment. I wish i had time to investigate this issue, but i'm working hard to go back on 2.2.6 and restore a full back-up. I'm feeling (and i am) like a complete idiot for deploying this new version of pfsense in a productions enviroment without waiting a couple of months.

              As for the logs, that's all what i had in suricata.log after the update.

              Bellow is a more recent suricata.log Anyway, most of the errors doesn't relate with the malfunction of the Suricata.

              13/4/2016 -- 23:25:15 - <notice> -- This is Suricata version 3.0 RELEASE
              13/4/2016 -- 23:25:15 - <info> -- CPUs/cores online: 4
              13/4/2016 -- 23:25:15 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
              13/4/2016 -- 23:25:15 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
              13/4/2016 -- 23:25:15 - <info> -- HTTP memcap: 67108864
              13/4/2016 -- 23:25:15 - <info> -- DNS request flood protection level: 500
              13/4/2016 -- 23:25:15 - <info> -- DNS per flow memcap (state-memcap): 524288
              13/4/2016 -- 23:25:15 - <info> -- DNS global memcap: 16777216
              13/4/2016 -- 23:25:15 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
              13/4/2016 -- 23:25:15 - <info> -- preallocated 65535 defrag trackers of size 136
              13/4/2016 -- 23:25:15 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
              13/4/2016 -- 23:25:15 - <info> -- AutoFP mode using "Active Packets" flow load balancer
              13/4/2016 -- 23:25:15 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
              13/4/2016 -- 23:25:15 - <info> -- preallocated 1000 hosts of size 104
              13/4/2016 -- 23:25:15 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
              13/4/2016 -- 23:25:15 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
              13/4/2016 -- 23:25:15 - <info> -- preallocated 10000 flows of size 256
              13/4/2016 -- 23:25:15 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
              13/4/2016 -- 23:25:15 - <info> -- stream "prealloc-sessions": 32768 (per thread)
              13/4/2016 -- 23:25:15 - <info> -- stream "memcap": 67108864
              13/4/2016 -- 23:25:15 - <info> -- stream "midstream" session pickups: disabled
              13/4/2016 -- 23:25:15 - <info> -- stream "async-oneside": disabled
              13/4/2016 -- 23:25:15 - <info> -- stream "checksum-validation": disabled
              13/4/2016 -- 23:25:15 - <info> -- stream."inline": disabled
              13/4/2016 -- 23:25:15 - <info> -- stream "max-synack-queued": 5
              13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "memcap": 67108864
              13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "depth": 0
              13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "toserver-chunk-size": 2669
              13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "toclient-chunk-size": 2638
              13/4/2016 -- 23:25:15 - <info> -- stream.reassembly.raw: enabled
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 4, prealloc 256
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 16, prealloc 512
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 112, prealloc 512
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 248, prealloc 512
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 512, prealloc 512
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 768, prealloc 1024
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 1448, prealloc 1024
              13/4/2016 -- 23:25:15 - <info> -- segment pool: pktsize 65535, prealloc 128
              13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "chunk-prealloc": 250
              13/4/2016 -- 23:25:15 - <info> -- stream.reassembly "zero-copy-size": 128
              13/4/2016 -- 23:25:15 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
              13/4/2016 -- 23:25:15 - <info> -- preallocated 1000 ippairs of size 104
              13/4/2016 -- 23:25:15 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
              13/4/2016 -- 23:25:15 - <info> -- using magic-file /usr/share/misc/magic
              13/4/2016 -- 23:25:15 - <info> -- Delayed detect disabled
              13/4/2016 -- 23:25:15 - <info> -- IP reputation disabled
              13/4/2016 -- 23:25:15 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules
              13/4/2016 -- 23:25:15 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:15 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1517
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1571
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1617
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1681
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1804
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1826
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1840
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1841
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1854
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1992
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 1997
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2048
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2049
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2050
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2051
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2052
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2170
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2171
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2254
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:16 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_60609_em2/rules/suricata.rules at line 2259
              13/4/2016 -- 23:25:25 - <warning> -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use 'replace' keyword in non IPS mode: alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 17 24 47 50 00|"; within:6; distance:2; replace:"|00 00 00 00 00 00|"; metadata:service teamview; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24098; rev:2;)
              13/4/2016 -- 23:25:26 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
              13/4/2016 -- 23:25:26 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"</error></error></warning></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
              
              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                All of those "SC_ERR_INVALID_SIGNATURE" errors are just Suricata complaining about keywords and rule options in Snort VRT rules that Suricata cannot interpret.  This is expected when using the Snort VRT rules package with Suricata.  Those errors are harmless in that they do not prevent Suricata from starting up; however, they do mean those particular rules are not getting loaded and thus are never being used to inspect traffic.  So from that point of view the network security is reduced.

                I'm still confused by the title of your thread.  It says "SNORT" but your logs are all Suricata.  Which package are you really running?  I assume Suricata ???  If so, then post the end of the Suricata log (you can skip all the rule parsing errors and just post the stuff after that).

                Bill

                1 Reply Last reply Reply Quote 0
                • W
                  waves
                  last edited by

                  Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there.  I know those errors are not related to my problem, but i thought someone could find something usefull there.  I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @waves:

                    Sorry, it was a rough day. I've modified the tittle of my post. I realized now what i have written there.  I know those errors are not related to my problem, but i thought someone could find something usefull there.  I'm now on 2.2.6 again and i've abandoned all the hope on 2.3. For the moment. I must setup a test rig to check the potential of 2.3. Thank you for your reply.

                    Hey we all have rough days, but just remember that Bill maintains the Snort and Suricata packages on his own time, and everyone here benefits from it…  It would be really great if more people participated in the testing/development phase, instead of waiting on a final polished version. Also keep in mind that you will see new Snort/Suricata package features in pfSense 2.3 that might never get ported back to 2.2. Some food for thought...

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      There are a handful of known issues in the current Suricata GUI package for pfSense 2.3.  I have all of those but one fixed in the code version I'm working on.  That last remaining issue to make the rules update download process a little more user-friendly by providing some visual feedback of progress.  I've said this in other posts, but internal changes in pfSense as a result of the Bootstrap migration made some of the system API calls I was using to show rules download progress no longer function the same.  I'm trying to come up with a viable workaround.

                      I would be interested in learning more about your specific problem if you can take the time to try 2.3 again in the near future.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • P
                        PF64
                        last edited by

                        This is my first post.  8)  I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6.  All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically.  I've reinstalled it several times, and I didn't have this issue with any previous version.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @PF64:

                          This is my first post.  8)  I just installed a fresh installation of pfSsense 2.3 as a VM on ESXi 6.  All services run except Suricata. I turn on Suricata and in 30sec it switches back off automatically.  I've reinstalled it several times, and I didn't have this issue with any previous version.

                          You will need to post some log data.  Post the suricata.log file from the interface where Suricata runs (it will be in /var/log/suricata/xxx (where xxx is the interface combined with a GUID).  Also post any relevant messages, if any, from the pfSense system log from around the time of the crash.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • P
                            PF64
                            last edited by

                            There wasn't anything Suricata related in the system log that was odd. I will note I have OpenVPN setup for PIA VPN, not sure if that could cause issue.

                            14/4/2016 -- 20:11:55 - <notice> -- This is Suricata version 3.0 RELEASE
                            14/4/2016 -- 20:11:55 - <info> -- CPUs/cores online: 12
                            14/4/2016 -- 20:11:55 - <info> -- Adding interface em0 from config file
                            14/4/2016 -- 20:11:55 - <info> -- Adding interface em0+ from config file
                            14/4/2016 -- 20:11:55 - <info> -- Netmap: Setting IPS mode
                            14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
                            14/4/2016 -- 20:11:55 - <info> -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
                            14/4/2016 -- 20:11:55 - <info> -- HTTP memcap: 67108864
                            14/4/2016 -- 20:11:55 - <info> -- DNS request flood protection level: 500
                            14/4/2016 -- 20:11:55 - <info> -- DNS per flow memcap (state-memcap): 524288
                            14/4/2016 -- 20:11:55 - <info> -- DNS global memcap: 16777216
                            14/4/2016 -- 20:11:55 - <info> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
                            14/4/2016 -- 20:11:55 - <info> -- preallocated 65535 defrag trackers of size 136
                            14/4/2016 -- 20:11:55 - <info> -- defrag memory usage: 10485624 bytes, maximum: 33554432
                            14/4/2016 -- 20:11:55 - <info> -- AutoFP mode using "Active Packets" flow load balancer
                            14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
                            14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 hosts of size 104
                            14/4/2016 -- 20:11:55 - <info> -- host memory usage: 366144 bytes, maximum: 16777216
                            14/4/2016 -- 20:11:55 - <info> -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
                            14/4/2016 -- 20:11:55 - <info> -- preallocated 10000 flows of size 256
                            14/4/2016 -- 20:11:55 - <info> -- flow memory usage: 6754304 bytes, maximum: 33554432
                            14/4/2016 -- 20:11:55 - <info> -- stream "prealloc-sessions": 32768 (per thread)
                            14/4/2016 -- 20:11:55 - <info> -- stream "memcap": 67108864
                            14/4/2016 -- 20:11:55 - <info> -- stream "midstream" session pickups: disabled
                            14/4/2016 -- 20:11:55 - <info> -- stream "async-oneside": disabled
                            14/4/2016 -- 20:11:55 - <info> -- stream "checksum-validation": disabled
                            14/4/2016 -- 20:11:55 - <info> -- stream."inline": enabled
                            14/4/2016 -- 20:11:55 - <info> -- stream "max-synack-queued": 5
                            14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "memcap": 67108864
                            14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "depth": 0
                            14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toserver-chunk-size": 2448
                            14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "toclient-chunk-size": 2673
                            14/4/2016 -- 20:11:55 - <info> -- stream.reassembly.raw: enabled
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 4, prealloc 256
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 16, prealloc 512
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 112, prealloc 512
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 248, prealloc 512
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 512, prealloc 512
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 768, prealloc 1024
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 1448, prealloc 1024
                            14/4/2016 -- 20:11:55 - <info> -- segment pool: pktsize 65535, prealloc 128
                            14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "chunk-prealloc": 250
                            14/4/2016 -- 20:11:55 - <info> -- stream.reassembly "zero-copy-size": 128
                            14/4/2016 -- 20:11:55 - <info> -- allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
                            14/4/2016 -- 20:11:55 - <info> -- preallocated 1000 ippairs of size 104
                            14/4/2016 -- 20:11:55 - <info> -- ippair memory usage: 366144 bytes, maximum: 16777216
                            14/4/2016 -- 20:11:55 - <info> -- using magic-file /usr/share/misc/magic
                            14/4/2016 -- 20:11:55 - <info> -- Delayed detect disabled
                            14/4/2016 -- 20:11:55 - <info> -- IP reputation disabled
                            14/4/2016 -- 20:11:55 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/suricata.rules
                            14/4/2016 -- 20:12:21 - <info> -- Loading rule file: /usr/local/etc/suricata/suricata_31859_em0/rules/flowbit-required.rules
                            14/4/2016 -- 20:12:21 - <info> -- 2 rule files processed. 17472 rules successfully loaded, 0 rules failed
                            14/4/2016 -- 20:12:22 - <info> -- 17478 signatures processed. 1059 are IP-only rules, 5082 are inspecting packet payload, 13517 inspect application layer, 76 are decoder event only
                            14/4/2016 -- 20:12:22 - <info> -- building signature grouping structure, stage 1: preprocessing rules... complete
                            14/4/2016 -- 20:12:23 - <info> -- building signature grouping structure, stage 2: building source address list... complete
                            14/4/2016 -- 20:12:44 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete
                            14/4/2016 -- 20:12:49 - <info> -- Threshold config parsed: 0 rule(s) found
                            14/4/2016 -- 20:12:50 - <info> -- Core dump size is unlimited.
                            14/4/2016 -- 20:12:50 - <info> -- fast output device (regular) initialized: alerts.log
                            14/4/2016 -- 20:12:50 - <info> -- http-log output device (regular) initialized: http.log
                            14/4/2016 -- 20:12:50 - <info> -- Syslog output initialized
                            14/4/2016 -- 20:12:50 - <info> -- Using 2 live device(s).
                            14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0
                            14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0->em0+
                            14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
                            14/4/2016 -- 20:12:50 - <info> -- Using 1 threads for interface em0+
                            14/4/2016 -- 20:12:50 - <info> -- Netmap IPS mode activated em0+->em0
                            14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
                            14/4/2016 -- 20:12:50 - <info> -- RunModeIdsNetmapAutoFp initialised
                            14/4/2016 -- 20:12:50 - <info> -- using 1 flow manager threads
                            14/4/2016 -- 20:12:50 - <info> -- preallocated 1024 packets. Total memory 3557376
                            14/4/2016 -- 20:12:50 - <info> -- using 1 flow recycler threads
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "Detect11" closed on initialization.
                            14/4/2016 -- 20:12:50 - <error> -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</error></error></info></info></info></info></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice>
                            
                            1 Reply Last reply Reply Quote 0
                            • N
                              ntct
                              last edited by

                              Increase stream memory cap and try  :)

                              1 Reply Last reply Reply Quote 0
                              • P
                                PF64
                                last edited by

                                Thank you!!! That worked!  8)

                                It's hard to tell how much I need, but i just increased it from 64MB to 128MB.

                                For those looking to find the setting in version 2.3 its, Services > Suricata > Interfaces > Pencil Edit Icon under Actions > LAN Flow/Stream > Stream Memory Cap

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  Darn it!  I thought I had the Stream Memory Cap default set large enough, but apparently not true in all situations.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.