61
21.1 Legacy Series / Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 14, 2021, 12:01:33 pm »
I thought WAN has to be part of that, but is not logging/alerting. However it worked that way in the past.
I tried it with LAN only, results in the same behavior. However WAN was reachable so I was able to stop suricata via wireguard vpn
Nothing fancy here -.-:
Could this be releated to "net.bpf.zerocopy_enable=1" ?
EDIT: Even with Debug Logging enabled, it looks good.
I tried it with LAN only, results in the same behavior. However WAN was reachable so I was able to stop suricata via wireguard vpn
Nothing fancy here -.-:
Code: [Select]
27 Apr 14 11:53:24 OPNsense suricata[28570]: [100221] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
28 Apr 14 11:53:26 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1/R from igb1: 0x662f9cde000
29 Apr 14 11:53:27 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1^ from igb1^: 0x662f9cde300
30 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1^ from igb1^: 0x66323dcf000
31 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1/T from igb1: 0x66323dcf300
32 Apr 14 11:53:27 OPNsense suricata[28570]: [100221] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
33 Apr 14 11:57:37 OPNsense suricata[28570]: [100221] <Notice> -- Signal Received. Stopping engine.
34 Apr 14 11:58:38 OPNsense suricata[28570]: [100221] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#01-igb1". Killing engine
Code: [Select]
187 igb1: link state changed to UP
188 igb1_vlan2: link state changed to UP
189 igb1_vlan3: link state changed to UP
190 igb0: link state changed to UP
191 pflog0: promiscuous mode enabled
192 pflog0: promiscuous mode disabled
193 pflog0: promiscuous mode enabled
194 pflog0: promiscuous mode disabled
195 pflog0: promiscuous mode enabled
196 pflog0: promiscuous mode disabled
197 pflog0: promiscuous mode enabled
198 tun0: link state changed to UP
199 tun0: changing name to 'wg0'
200 pflog0: promiscuous mode disabled
201 pflog0: promiscuous mode enabled
202 pflog0: promiscuous mode disabled
203 pflog0: promiscuous mode enabled
204 pid 43540 (syslogd), jid 0, uid 0: exited on signal 11 (core dumped)
205 pflog0: promiscuous mode disabled
206 pflog0: promiscuous mode enabled
207 pflog0: promiscuous mode disabled
208 pflog0: promiscuous mode enabled
209 [HBSD SEGVGUARD] [/usr/local/sbin/syslogd (5818)] Suspension expired.
210 -> pid: 5818 ppid: 47253 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
211 pflog0: promiscuous mode disabled
Could this be releated to "net.bpf.zerocopy_enable=1" ?
EDIT: Even with Debug Logging enabled, it looks good.
Code: [Select]
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- CPUs/cores online: 4
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1 from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1^ from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'request-body-minimal-inspect-size' set to 33713 and 'request-body-inspect-window' set to 4276 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'response-body-minimal-inspect-size' set to 39729 and 'response-body-inspect-window' set to 16683 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- SMB stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus request flood protection level: 500
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for enip protocol.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for DNP3.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 1000 hosts of size 104
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Core dump size is unlimited.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Netmap: Setting IPS mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 65535 defrag trackers of size 128
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- defrag memory usage: 9961344 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- flow size 288, memcap allows for 466033 flows. Per hash row in perfect conditions 7
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "prealloc-sessions": 2048 (per thread)
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "memcap": 67108864
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "midstream" session pickups: disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "async-oneside": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "checksum-validation": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream."inline": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "bypass": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "max-synack-queued": 5
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "memcap": 268435456
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "depth": 1048576
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toserver-chunk-size": 2660
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toclient-chunk-size": 2480
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly.raw: enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "segment-prealloc": 2048
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- eve-log output device (regular) initialized: eve.json
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'alert'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'anomaly'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'drop'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- stats output device (regular) initialized: stats.log
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Syslog output initialized
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Delayed detect disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- pattern matchers: MPM: hs, SPM: hs
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toclient-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toserver-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: udp-whitelist (default) 53, 135, 5060
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- prefilter engines: MPM
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_client_body
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_enc
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_lang
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_referer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_connection
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.location
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header_name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dnp3_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.sni
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_issuer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_serial
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_fingerprint
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3s.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for smb_named_pipe
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_cname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_sname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.stat_msg
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for rfb.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.clientid
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.username
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.password
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willtopic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willmessage
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.message
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.subscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.unsubscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- IP reputation disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/OPNsense.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from OPNsense.rules.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/botcc.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/emerging-exploit.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/compromised.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-chrome.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-firefox.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-ie.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit-kit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.exploit.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.scan.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.scan.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 100
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-linux.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-mobile.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-windows.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 14 rule files processed. 3949 rules successfully loaded, 1 rules failed
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- Threshold config parsed: 0 rule(s) found
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-stream
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for other-ip
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 3949 signatures processed. 202 are IP-only rules, 389 are inspecting packet payload, 1365 inspect application layer, 0 are decoder event only
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- building signature grouping structure, stage 1: preprocessing rules... complete
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.CVE20157547.primer' is checked but not set. Checked in 2022547 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2024192 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2025195 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017557 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HB.Request.SI' is checked but not set. Checked in 2018378 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ttf' is checked but not set. Checked in 35523 and 17 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.mht' is checked but not set. Checked in 49799 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.exe' is checked but not set. Checked in 18405 and 183 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf' is checked but not set. Checked in 26539 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.emf' is checked but not set. Checked in 38773 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.swf' is checked but not set. Checked in 33272 and 2 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jar' is checked but not set. Checked in 25302 and 6 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.cws' is checked but not set. Checked in 24670 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip' is checked but not set. Checked in 24669 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jpeg' is checked but not set. Checked in 21510 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.elf' is checked but not set. Checked in 37435 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.lnk' is checked but not set. Checked in 45624 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.dat' is checked but not set. Checked in 40393 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf' is checked but not set. Checked in 37277 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.application' is checked but not set. Checked in 36712 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls' is checked but not set. Checked in 35984 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toserver: 173 port groups, 83 unique SGH's, 90 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toclient: 52 port groups, 19 unique SGH's, 33 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toserver: 39 port groups, 20 unique SGH's, 19 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toclient: 9 port groups, 5 unique SGH's, 4 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toserver: 2 proto groups, 1 unique SGH's, 1 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toclient: 2 proto groups, 0 unique SGH's, 2 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Unique rule groups: 128
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP packet": 26
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP packet": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP stream": 65
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP stream": 16
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver UDP packet": 20
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient UDP packet": 5
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "other IP packet": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_uri (http)": 13
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_raw_uri (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_request_line (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_client_body (http)": 6
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_user_agent (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_stat_code (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver tls.sni (tls)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (dcerpc)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smtp)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (http2)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http2)": 10
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:33 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1/R from igb1: 0x4e4d53fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4d53fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1^
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4ea7fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1/T from igb1: 0x4e4ea7fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow manager threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow recycler threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Signal Received. Stopping engine.
Apr 14 12:59:55 OPNsense suricata[38494]: [100402] <Perf> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- time elapsed 21.392s
Apr 14 12:59:55 OPNsense suricata[38494]: [100414] <Perf> -- 52 flows processed
Apr 14 12:59:55 OPNsense suricata[38494]: [100390] <Perf> -- (W#01-igb1) Kernel: Packets 359, dropped 0, bytes 42618
Apr 14 12:59:55 OPNsense suricata[38494]: [100406] <Perf> -- (W#01-igb1^) Kernel: Packets 726, dropped 0, bytes 692065
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- Alerts: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- ippair memory usage: 382144 bytes, maximum: 16777216
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- cleaning up signature grouping structure... complete
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1': pkts: 359, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1^': pkts: 726, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Cleaning up Hyperscan global scratch
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Clearing Hyperscan database cache