OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: peterwkc on May 05, 2023, 10:11:13 am

Title: Suricata auto stop
Post by: peterwkc on May 05, 2023, 10:11:13 am

Dear all forumers, I have no idea why my suricata is not able to start after i press start button, it will automatically become stop after a while.

Below is the log:

Quote

2023-05-05T16:05:44   Error   suricata   [101034] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb1/R failed: Invalid argument
2023-05-05T16:04:23   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 2943   
2023-05-05T16:04:23   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 5713   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 5645   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_REGEX_MOD(131)] - unknown regex modifier 'K'   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 5567   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 3769   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.   
2023-05-05T16:03:52   Error   suricata   [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 674

Can anyone pin point where is the error caused the process cannot be started? Thanks

Title: Re: Suricata auto stop
Post by: peterwkc on May 09, 2023, 05:11:25 am

Dear all, I had research about the error:
2023-05-05T16:05:44   Error   suricata   [101034] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb1/R failed: Invalid argument

This is related to netmap support in NIC when using Intel NIC.

I had sovled it with enable with one NIC only on external WAN NIC.