OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« previous next »
  • Print
Pages: [1]

Author Topic: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing  (Read 6730 times)

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
[Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« on: April 01, 2021, 07:35:01 pm »
Hello,
thanks for the update to 21.1.4 and Suricata 6.x on Devel.

Suricata does not want to start after the update.

The log shows:
Code: [Select]
2021-04-01T18:34:09 root[7389] /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
Manual start shows:
Code: [Select]
1/4/2021 -- 19:31:36 - <Info> - Including configuration file installed_rules.yaml.
1/4/2021 -- 19:31:36 - <Info> - Configuration node 'rule-files' redefined.
1/4/2021 -- 19:31:36 - <Info> - Including configuration file custom.yaml.
./suricata: WARNING: failed to start suricata
Code: [Select]
OPNsense 21.7.a_314-amd64
FreeBSD 12.1-RELEASE-p15-HBSD
LibreSSL 3.2.5
Trying to investigate further or does it simply require a reinstall?

EDIT: Looks like Hyperscan support is missing with this build.


Code: [Select]
Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.

Recompiling /usr/ports/opnsense/suricata-devel
« Last Edit: April 01, 2021, 08:06:10 pm by XeroX »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: Suricata 6.0 with 21.1.4 does not start
« Reply #1 on: April 01, 2021, 07:43:29 pm »
Does it work if you install it manually?

# pkg install hyperscan


Cheers,
Franco
Logged

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Re: Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #2 on: April 01, 2021, 07:44:57 pm »
Currently recompilng suricata-devel. Hyperscan is not ticked in default. Hyperscan itself is installed.

Proof:
Code: [Select]
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
« Last Edit: April 01, 2021, 07:46:42 pm by XeroX »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #3 on: April 01, 2021, 07:47:19 pm »
Ah no sorry, my bad:

https://github.com/opnsense/tools/commit/6e84a3328

So far we are in no rush to ship version 6.


Thank you,
Franco
Logged

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Re: Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #4 on: April 01, 2021, 07:49:52 pm »
No worries :) I like bleeding edge so I've to live with that and help to find the bugs before others do :P

Was really suprised noone posted this yet.

Will give feedback in a minute.

EDIT: I think this will take some hours...i3-5020 is not the fastest compiling rust.
« Last Edit: April 01, 2021, 08:04:14 pm by XeroX »
Logged

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #5 on: April 02, 2021, 03:50:24 pm »
So after hours of compiling, it does not work for me. Suricata kills all my network connections. Nothing fancy in the logs:
Code: [Select]
Apr  2 15:21:43 OPNsense suricata[31904]: [100315] <Notice> -- opened netmap:igb1/R from igb1: 0x3a3abb1a000
Apr  2 15:21:43 OPNsense suricata[31904]: [100315] <Notice> -- opened netmap:igb1^ from igb1^: 0x3a3abb1a300
Apr  2 15:21:43 OPNsense suricata[31904]: [101293] <Notice> -- opened netmap:igb1^ from igb1^: 0x3a3c247b000
Apr  2 15:21:44 OPNsense suricata[31904]: [101293] <Notice> -- opened netmap:igb1/T from igb1: 0x3a3c247b300
Apr  2 15:21:44 OPNsense suricata[31904]: [101296] <Notice> -- opened netmap:pppoe0/R from pppoe0: 0x3a3ecd66000
Apr  2 15:21:44 OPNsense suricata[31904]: [101296] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x3a3ecd66300
Apr  2 15:21:44 OPNsense suricata[31904]: [101328] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x3a401dfc000
Apr  2 15:21:44 OPNsense suricata[31904]: [101328] <Notice> -- opened netmap:pppoe0/T from pppoe0: 0x3a401dfc300
Apr  2 15:21:44 OPNsense suricata[31904]: [100851] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
Apr  2 15:22:58 OPNsense suricata[31904]: [100851] <Notice> -- rule reload starting
Apr  2 15:23:00 OPNsense suricata[31904]: [100851] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Apr  2 15:23:00 OPNsense suricata[31904]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 100

I was able to connect on startup and kill suricata quickly.

Additionally I contributed to FreeBSD updating Hyperscan to 5.4.0.
« Last Edit: April 02, 2021, 04:11:48 pm by XeroX »
Logged

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #6 on: April 11, 2021, 06:15:39 pm »
Can't get this to run. Maybe a problem with compiling on a small system.

@franco
When will be the next push/recompile for the dev version so I can investigate further?

Beside that I submitted Hyperscan 5.4.0 to FreeBSD Ports.

https://www.freshports.org/devel/hyperscan/
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #7 on: April 11, 2021, 07:37:42 pm »
I'll upload a snapshot for LibreSSL tomorrow. Already included the hyperscan update. Thanks!
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #8 on: April 12, 2021, 09:59:30 am »
This is for LibreSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/libressl/All/hyperscan-5.4.0.txz
# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/libressl/All/suricata-devel-6.0.2.txz


Cheers,
Franco
Logged

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #9 on: April 14, 2021, 01:11:08 am »
Thank you franco.

So I can't find out what the issue here. I loose the connection pretty perfect after 3 minutes of uptime. Nothing in the logs, nothing in suricata log. Suricata is running like 2 minutes+ then roughly 30 seconds after system is up.

Shutting down the system via "short press of power button" takes like 1-2 minutes, then I'm able to ping the system again before full shutdown (as suricata shutdown seems close to system shutdown).

5 x Intel i211AT (2 plugged in)
2 x VLANs (not mapped in suricata of course)

Code: [Select]
2021-04-14T01:03:14 suricata[59758] [100259] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#01-igb1". Killing engine
2021-04-14T01:02:13 suricata[59758] [100259] <Notice> -- Signal Received. Stopping engine.
2021-04-14T00:59:57 suricata[59758] [100259] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2021-04-14T00:59:57 suricata[59758] [100336] <Notice> -- opened netmap:pppoe0/T from pppoe0: 0x753e7ffc300
2021-04-14T00:59:57 suricata[59758] [100336] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x753e7ffc000
2021-04-14T00:59:57 suricata[59758] [100329] <Notice> -- opened netmap:pppoe0^ from pppoe0^: 0x753d2db1300
2021-04-14T00:59:57 suricata[59758] [100329] <Notice> -- opened netmap:pppoe0/R from pppoe0: 0x753d2db1000
2021-04-14T00:59:57 suricata[59758] [100327] <Notice> -- opened netmap:igb1/T from igb1: 0x753933fc300
2021-04-14T00:59:57 suricata[59758] [100327] <Notice> -- opened netmap:igb1^ from igb1^: 0x753933fc000
2021-04-14T00:59:57 suricata[59758] [100316] <Notice> -- opened netmap:igb1^ from igb1^: 0x7537e3d3300
2021-04-14T00:59:56 suricata[59758] [100316] <Notice> -- opened netmap:igb1/R from igb1: 0x7537e3d3000
system.log
Code: [Select]
Apr 14 00:59:55 OPNsense kernel: pflog0: promiscuous mode disabled
Apr 14 00:59:55 OPNsense kernel: pflog0: promiscuous mode enabled
Apr 14 00:59:55 OPNsense kernel: OK
Apr 14 00:59:56 OPNsense kernel: igb1: permanently promiscuous mode enabled
Apr 14 00:59:56 OPNsense kernel: igb1: link state changed to DOWN
Apr 14 00:59:56 OPNsense kernel: igb1_vlan2: link state changed to DOWN
Apr 14 00:59:56 OPNsense kernel: igb1_vlan3: link state changed to DOWN
Apr 14 00:59:57 OPNsense opnsense-devel[61802]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(lan) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 00:59:57 OPNsense opnsense-devel[25342]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(opt3) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 00:59:57 OPNsense kernel: 797.304698 [1130] generic_netmap_attach     Emulated adapter for pppoe0 created (prev was NULL)
Apr 14 00:59:57 OPNsense kernel: 797.313687 [1035] generic_netmap_dtor       Emulated netmap adapter for pppoe0 destroyed
Apr 14 00:59:57 OPNsense kernel: pppoe0: permanently promiscuous mode enabled
Apr 14 00:59:57 OPNsense kernel: 797.324028 [1130] generic_netmap_attach     Emulated adapter for pppoe0 created (prev was NULL)
Apr 14 00:59:57 OPNsense kernel: 797.333117 [ 320] generic_netmap_register   Emulated adapter for pppoe0 activated
Apr 14 00:59:57 OPNsense opnsense-devel[61189]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXXX(opt6) but ignoring since interface is configured with static IP (XXXXXXXX ::)
Apr 14 00:59:57 OPNsense kernel: SHA256 12 23 34 56 78 AA BB CC DD EE FF AA EE AA EE
Apr 14 01:00:01 OPNsense kernel: igb1: link state changed to UP
Apr 14 01:00:01 OPNsense kernel: igb1_vlan2: link state changed to UP
Apr 14 01:00:01 OPNsense kernel: igb1_vlan3: link state changed to UP
Apr 14 01:00:01 OPNsense opnsense-devel[40612]: /usr/local/etc/rc.linkup: Hotplug event detected for XXXXXX(lan) but ignoring since interface is configured with static IP (XXXXXXX ::)
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: /usr/local/etc/rc.newwanip: On (IP address: XXXXXX) (interface: XXXXX[lan]) (real interface: igb1).
Apr 14 01:00:01 OPNsense opnsense-devel[16932]: plugins_configure hosts ()
« Last Edit: April 14, 2021, 01:21:19 am by XeroX »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #10 on: April 14, 2021, 08:37:14 am »
I thought the PPPoE itself was odd because that never worked with IPS. Can you try without that?


Cheers,
Franco
Logged

XeroX

  • Full Member
  • ***
  • Posts: 114
  • Karma: 7
    • View Profile
Re: [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
« Reply #11 on: April 14, 2021, 12:01:33 pm »
I thought WAN has to be part of that, but is not logging/alerting. However it worked that way in the past.

I tried it with LAN only, results in the same behavior. However WAN was reachable so I was able to stop suricata via wireguard vpn :)

Nothing fancy here -.-:
Code: [Select]
27 Apr 14 11:53:24 OPNsense suricata[28570]: [100221] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
 28 Apr 14 11:53:26 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1/R from igb1: 0x662f9cde000
 29 Apr 14 11:53:27 OPNsense suricata[28570]: [101286] <Notice> -- opened netmap:igb1^ from igb1^: 0x662f9cde300
 30 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1^ from igb1^: 0x66323dcf000
 31 Apr 14 11:53:27 OPNsense suricata[28570]: [101296] <Notice> -- opened netmap:igb1/T from igb1: 0x66323dcf300
 32 Apr 14 11:53:27 OPNsense suricata[28570]: [100221] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
 33 Apr 14 11:57:37 OPNsense suricata[28570]: [100221] <Notice> -- Signal Received.  Stopping engine.
 34 Apr 14 11:58:38 OPNsense suricata[28570]: [100221] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#01-igb1". Killing engine

Code: [Select]
187 igb1: link state changed to UP
188 igb1_vlan2: link state changed to UP
189 igb1_vlan3: link state changed to UP
190 igb0: link state changed to UP
191 pflog0: promiscuous mode enabled
192 pflog0: promiscuous mode disabled
193 pflog0: promiscuous mode enabled
194 pflog0: promiscuous mode disabled
195 pflog0: promiscuous mode enabled
196 pflog0: promiscuous mode disabled
197 pflog0: promiscuous mode enabled
198 tun0: link state changed to UP
199 tun0: changing name to 'wg0'
200 pflog0: promiscuous mode disabled
201 pflog0: promiscuous mode enabled
202 pflog0: promiscuous mode disabled
203 pflog0: promiscuous mode enabled
204 pid 43540 (syslogd), jid 0, uid 0: exited on signal 11 (core dumped)
205 pflog0: promiscuous mode disabled
206 pflog0: promiscuous mode enabled
207 pflog0: promiscuous mode disabled
208 pflog0: promiscuous mode enabled
209 [HBSD SEGVGUARD] [/usr/local/sbin/syslogd (5818)] Suspension expired.
210  -> pid: 5818 ppid: 47253 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
211 pflog0: promiscuous mode disabled


Could this be releated to "net.bpf.zerocopy_enable=1" ?

EDIT: Even with Debug Logging enabled, it looks good.

Code: [Select]
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- CPUs/cores online: 4
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1 from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Adding interface igb1^ from config file
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'request-body-minimal-inspect-size' set to 33713 and 'request-body-inspect-window' set to 4276 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- 'default' server has 'response-body-minimal-inspect-size' set to 39729 and 'response-body-inspect-window' set to 16683 after randomization.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- SMB stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus request flood protection level: 500
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Modbus stream depth: 0
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for enip protocol.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Protocol detection and parser disabled for DNP3.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Found an MTU of 1500 for 'igb1'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 1000 hosts of size 104
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Core dump size is unlimited.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Netmap: Setting IPS mode
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- preallocated 65535 defrag trackers of size 128
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- defrag memory usage: 9961344 bytes, maximum: 33554432
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- flow size 288, memcap allows for 466033 flows. Per hash row in perfect conditions 7
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "prealloc-sessions": 2048 (per thread)
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "memcap": 67108864
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "midstream" session pickups: disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "async-oneside": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "checksum-validation": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream."inline": enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "bypass": disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream "max-synack-queued": 5
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "memcap": 268435456
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "depth": 1048576
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toserver-chunk-size": 2660
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "toclient-chunk-size": 2480
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly.raw: enabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- stream.reassembly "segment-prealloc": 2048
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- eve-log output device (regular) initialized: eve.json
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'alert'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'anomaly'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- enabling 'eve-log' module 'drop'
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- stats output device (regular) initialized: stats.log
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Info> -- Syslog output initialized
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Delayed detect disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- pattern matchers: MPM: hs, SPM: hs
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toclient-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- toserver-groups 1024
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- grouping: udp-whitelist (default) 53, 135, 5060
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- prefilter engines: MPM
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_client_body
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_header_names
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_enc
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_accept_lang
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_referer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_connection
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_len
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_content_type
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http.location
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_start
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_cookie
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file.magic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http_raw_host
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header_name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for http2_header
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dnp3_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.sni
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_issuer
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_serial
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tls.cert_fingerprint
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ja3s.hash
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for dce_stub_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for smb_named_pipe
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.proto
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh_software
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ssh.hassh.server.string
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for file_data
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_cname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for krb5_sname
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.uri
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.protocol
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.method
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.stat_msg
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.request_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for sip.response_line
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for rfb.name
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for snmp.community
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.clientid
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.username
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.password
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willtopic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.connect.willmessage
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.publish.message
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.subscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for mqtt.unsubscribe.topic
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for icmpv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv4.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for ipv6.hdr
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- IP reputation disabled
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/OPNsense.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from OPNsense.rules.
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/botcc.rules
Apr 14 12:59:29 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/emerging-exploit.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/compromised.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-chrome.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-firefox.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.browser-ie.rules
Apr 14 12:59:30 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit-kit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.exploit.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.exploit.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.scan.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- No rules loaded from snort_vrt.scan.rules.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 100
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-linux.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-mobile.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- Loading rule file: /usr/local/etc/suricata/opnsense.rules/snort_vrt.os-windows.rules
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 14 rule files processed. 3949 rules successfully loaded, 1 rules failed
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- Threshold config parsed: 0 rule(s) found
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for tcp-stream
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for udp-packet
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- using shared mpm ctx' for other-ip
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Info> -- 3949 signatures processed. 202 are IP-only rules, 389 are inspecting packet payload, 1365 inspect application layer, 0 are decoder event only
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Config> -- building signature grouping structure, stage 1: preprocessing rules... complete
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.CVE20157547.primer' is checked but not set. Checked in 2022547 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2024192 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2025195 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017557 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HB.Request.SI' is checked but not set. Checked in 2018378 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ttf' is checked but not set. Checked in 35523 and 17 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.mht' is checked but not set. Checked in 49799 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.exe' is checked but not set. Checked in 18405 and 183 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf' is checked but not set. Checked in 26539 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.emf' is checked but not set. Checked in 38773 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.swf' is checked but not set. Checked in 33272 and 2 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jar' is checked but not set. Checked in 25302 and 6 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.cws' is checked but not set. Checked in 24670 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip' is checked but not set. Checked in 24669 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jpeg' is checked but not set. Checked in 21510 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.elf' is checked but not set. Checked in 37435 and 3 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.lnk' is checked but not set. Checked in 45624 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.dat' is checked but not set. Checked in 40393 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf' is checked but not set. Checked in 37277 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.application' is checked but not set. Checked in 36712 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls' is checked but not set. Checked in 35984 and 1 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.otf' is checked but not set. Checked in 35719 and 0 other sigs
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toserver: 173 port groups, 83 unique SGH's, 90 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- TCP toclient: 52 port groups, 19 unique SGH's, 33 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toserver: 39 port groups, 20 unique SGH's, 19 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- UDP toclient: 9 port groups, 5 unique SGH's, 4 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toserver: 2 proto groups, 1 unique SGH's, 1 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- OTHER toclient: 2 proto groups, 0 unique SGH's, 2 copies
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Unique rule groups: 128
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP packet": 26
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP packet": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver TCP stream": 65
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient TCP stream": 16
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toserver UDP packet": 20
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "toclient UDP packet": 5
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- Builtin MPM "other IP packet": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_uri (http)": 13
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_raw_uri (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_request_line (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_client_body (http)": 6
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_header (http)": 8
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_content_type (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_start (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver http_user_agent (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient http_stat_code (http)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver tls.sni (tls)": 1
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient dce_stub_data (smb)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver dce_stub_data (dcerpc)": 2
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smtp)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (smb)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toserver file_data (http2)": 10
Apr 14 12:59:31 OPNsense suricata[38494]: [100355] <Perf> -- AppLayer MPM "toclient file_data (http2)": 10
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1
Apr 14 12:59:33 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:33 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1/R from igb1: 0x4e4d53fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100390] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4d53fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Perf> -- Using 1 threads for interface igb1^
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Info> -- Going to use 1 thread(s)
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1^ from igb1^: 0x4e4ea7fc000
Apr 14 12:59:34 OPNsense suricata[38494]: [100406] <Notice> -- opened netmap:igb1/T from igb1: 0x4e4ea7fc300
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow manager threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Config> -- using 1 flow recycler threads
Apr 14 12:59:34 OPNsense suricata[38494]: [100355] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Signal Received.  Stopping engine.
Apr 14 12:59:55 OPNsense suricata[38494]: [100402] <Perf> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- time elapsed 21.392s
Apr 14 12:59:55 OPNsense suricata[38494]: [100414] <Perf> -- 52 flows processed
Apr 14 12:59:55 OPNsense suricata[38494]: [100390] <Perf> -- (W#01-igb1) Kernel: Packets 359, dropped 0, bytes 42618
Apr 14 12:59:55 OPNsense suricata[38494]: [100406] <Perf> -- (W#01-igb1^) Kernel: Packets 726, dropped 0, bytes 692065
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- Alerts: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- ippair memory usage: 382144 bytes, maximum: 16777216
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- host memory usage: 366144 bytes, maximum: 33554432
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Info> -- cleaning up signature grouping structure... complete
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1':  pkts: 359, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Notice> -- Stats for 'igb1^':  pkts: 726, drop: 0 (0.00%), invalid chksum: 0
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Cleaning up Hyperscan global scratch
Apr 14 12:59:55 OPNsense suricata[38494]: [100355] <Perf> -- Clearing Hyperscan database cache
« Last Edit: April 14, 2021, 01:04:47 pm by XeroX »
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2