Issues with Suricata 1.0.1

I installed Suricata from port but Suricata always dies without reason after one or two hours.

I googled but found nothing close.

Here is what I got on the console:

Code:
[100201] 27/12/2010 -- 14:34:23 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
parsing "http" app layer protocol, using network protocol 6, source IP address xxx.xxx.xxx.xxx, destination IP address xxx.xxx.xxx.xxx, src port 
33243 and dst port 80
Assertion failed: (!(sm->next == ((void *)0))), function DoInspectPacketPayload, file detect-engine-payload.c, line 212.

My sysctl.conf:

Code:
kern.maxfiles=49312
kern.ipc.shmmax=67108864
kern.ipc.shmall=32768
net.bpf.zerocopy_enable=1

My dmesg is next.

Any idea?
 
And my dmesg output:

Code:
FreeBSD 8.1-RELEASE-p2 #1: Tue Dec 21 11:01:31 EST 2010
    root@MyBox:/usr/obj/usr/src/sys/GENERIC i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Core(TM)2 Duo CPU     P8400  @ 2.26GHz (2261.01-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x10676  Family = 6  Model = 17  Stepping = 6
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x8e3fd<SSE3,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1>
  AMD Features=0x20100000<NX,LM>
  AMD Features2=0x1<LAHF>
  TSC: P-state invariant
real memory  = 2147483648 (2048 MB)
avail memory = 1984462848 (1892 MB)
ACPI APIC Table: <LENOVO TP-7U   >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
ioapic0: Changing APIC ID to 1
ioapic0 <Version 2.0> irqs 0-23 on motherboard
kbd1 at kbdmux0
acpi0: <LENOVO TP-7U> on motherboard
CPU0: local APIC error 0x40
acpi0: [ITHREAD]
acpi_ec0: <Embedded Controller: GPE 0x11, ECDT> port 0x62,0x66 on acpi0
acpi0: Power Button (fixed)
acpi0: reservation of 0, a0000 (3) failed
acpi0: reservation of 100000, 7bf00000 (3) failed
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
acpi_lid0: <Control Method Lid Switch> on acpi0
acpi_button0: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
vgapci0: <VGA-compatible display> port 0x1800-0x1807 mem 0xf4400000-0xf47fffff,0xd0000000-0xdfffffff irq 16 at device 2.0 on pci0
agp0: <Intel GM45 SVGA controller> on vgapci0
agp0: detected 32764k stolen memory
agp0: aperture size is 256M
vgapci1: <VGA-compatible display> mem 0xf4200000-0xf42fffff at device 2.1 on pci0
pci0: <simple comms> at device 3.0 (no driver attached)
pci0: <simple comms, UART> at device 3.3 (no driver attached)
em0: <Intel(R) PRO/1000 Network Connection 7.0.5> port 0x1840-0x185f mem 0xfc000000-0xfc01ffff,0xfc025000-0xfc025fff irq 20 at device 25.0 on 
pci0
em0: Using MSI interrupt
em0: [FILTER]
em0: Ethernet address: 00:1c:25:97:91:dd
uhci0: <Intel 82801I (ICH9) USB controller> port 0x1860-0x187f irq 20 at device 26.0 on pci0
uhci0: [ITHREAD]
usbus0: <Intel 82801I (ICH9) USB controller> on uhci0
uhci1: <Intel 82801I (ICH9) USB controller> port 0x1880-0x189f irq 21 at device 26.1 on pci0
uhci1: [ITHREAD]
usbus1: <Intel 82801I (ICH9) USB controller> on uhci1
uhci2: <Intel 82801I (ICH9) USB controller> port 0x18a0-0x18bf irq 22 at device 26.2 on pci0
uhci2: [ITHREAD]
usbus2: <Intel 82801I (ICH9) USB controller> on uhci2
ehci0: <Intel 82801I (ICH9) USB 2.0 controller> mem 0xfc226c00-0xfc226fff irq 23 at device 26.7 on pci0
ehci0: [ITHREAD]
usbus3: EHCI version 1.0
usbus3: <Intel 82801I (ICH9) USB 2.0 controller> on ehci0
hdac0: <Intel 82801I High Definition Audio Controller> mem 0xfc020000-0xfc023fff irq 17 at device 27.0 on pci0
hdac0: HDA Driver Revision: 20100226_0142
hdac0: [ITHREAD]
pcib1: <ACPI PCI-PCI bridge> irq 20 at device 28.0 on pci0
pci2: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> irq 21 at device 28.1 on pci0
pci3: <ACPI PCI bus> on pcib2
iwn0: <Intel(R) PRO/Wireless 5100> mem 0xf4300000-0xf4301fff irq 17 at device 0.0 on pci3
iwn0: MIMO 1T2R, MoW, address 00:21:5d:a5:4e:aa
iwn0: [ITHREAD]
iwn0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
iwn0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
iwn0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
pcib3: <ACPI PCI-PCI bridge> irq 23 at device 28.3 on pci0
pci5: <ACPI PCI bus> on pcib3
pcib4: <ACPI PCI-PCI bridge> irq 20 at device 28.4 on pci0
pci13: <ACPI PCI bus> on pcib4
uhci3: <Intel 82801I (ICH9) USB controller> port 0x18c0-0x18df irq 16 at device 29.0 on pci0
uhci3: [ITHREAD]
usbus4: <Intel 82801I (ICH9) USB controller> on uhci3
uhci4: <Intel 82801I (ICH9) USB controller> port 0x18e0-0x18ff irq 17 at device 29.1 on pci0
uhci4: [ITHREAD]
usbus5: <Intel 82801I (ICH9) USB controller> on uhci4
uhci5: <Intel 82801I (ICH9) USB controller> port 0x1c00-0x1c1f irq 18 at device 29.2 on pci0
uhci5: [ITHREAD]
usbus6: <Intel 82801I (ICH9) USB controller> on uhci5
ehci1: <Intel 82801I (ICH9) USB 2.0 controller> mem 0xfc227000-0xfc2273ff irq 19 at device 29.7 on pci0
ehci1: [ITHREAD]
usbus7: EHCI version 1.0
usbus7: <Intel 82801I (ICH9) USB 2.0 controller> on ehci1
pcib5: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci21: <ACPI PCI bus> on pcib5
cbb0: <RF5C476 PCI-CardBus Bridge> mem 0xf4800000-0xf4800fff irq 16 at device 0.0 on pci21
cardbus0: <CardBus bus> on cbb0
pccard0: <16-bit PCCard bus> on cbb0
cbb0: [FILTER]
fwohci0: <1394 Open Host Controller Interface> mem 0xf4801000-0xf48017ff irq 17 at device 0.1 on pci21
fwohci0: [ITHREAD]
fwohci0: OHCI version 1.10 (ROM=0)
fwohci0: No. of Isochronous channels is 4.
fwohci0: EUI64 00:01:6c:00:00:6f:29:1c
fwohci0: Phy 1394a available S400, 1 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 02:01:6c:6f:29:1c
fwe0: Ethernet address: 02:01:6c:6f:29:1c
fwip0: <IP over FireWire> on firewire0
fwip0: Firewire address: 00:01:6c:00:00:6f:29:1c @ 0xfffe00000000, S400, maxrec 2048
dcons_crom0: <dcons configuration ROM> on firewire0
dcons_crom0: bus_addr 0x7741c000
fwohci0: Initiate bus reset
fwohci0: fwohci_intr_core: BUS reset
fwohci0: fwohci_intr_core: node_id=0x00000000, SelfID Count=1, CYCLEMASTER mode
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel AHCI controller> port 0x1c48-0x1c4f,0x183c-0x183f,0x1c40-0x1c47,0x1838-0x183b,0x1c20-0x1c3f mem 0xfc226000-0xfc2267ff irq 16 at 
device 31.2 on pci0
atapci0: [ITHREAD]
atapci0: AHCI v1.20 controller with 4 3Gbps ports, PM not supported
ata2: <ATA channel 0> on atapci0
ata2: [ITHREAD]
ata3: <ATA channel 1> on atapci0
ata3: [ITHREAD]
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
acpi_tz1: <Thermal Zone> on acpi0
atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: [ITHREAD]
psm0: model Synaptics Touchpad, device ID 0
battery0: <ACPI Control Method Battery> on acpi0
acpi_acad0: <AC Adapter> on acpi0
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcffff,0xde000-0xdf7ff,0xe0000-0xeffff pnpid ORM0000 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ata0 at port 0x1f0-0x1f7,0x3f6 irq 14 on isa0
ata0: [ITHREAD]
ata1 at port 0x170-0x177,0x376 irq 15 on isa0
ata1: [ITHREAD]
ppc0: cannot reserve I/O port range
est0: <Enhanced SpeedStep Frequency Control> on cpu0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
est1: <Enhanced SpeedStep Frequency Control> on cpu1
p4tcc1: <CPU Frequency Thermal Control> on cpu1
Timecounters tick every 1.000 msec
firewire0: 1 nodes, maxhop <= 0 cable IRM irm(0)  (me) 
firewire0: bus manager 0 
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 12Mbps Full Speed USB v1.0
usbus2: 12Mbps Full Speed USB v1.0
usbus3: 480Mbps High Speed USB v2.0
usbus4: 12Mbps Full Speed USB v1.0
usbus5: 12Mbps Full Speed USB v1.0
usbus6: 12Mbps Full Speed USB v1.0
usbus7: 480Mbps High Speed USB v2.0
ad4: 305245MB <Hitachi HTS543232L9A300 FB4OC40C> at ata2-master UDMA100 SATA 3Gb/s
ugen0.1: <Intel> at usbus0
uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <Intel> at usbus1
uhub1: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1
ugen2.1: <Intel> at usbus2
uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
ugen3.1: <Intel> at usbus3
uhub3: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus3
ugen4.1: <Intel> at usbus4
uhub4: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus4
ugen5.1: <Intel> at usbus5
uhub5: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus5
ugen6.1: <Intel> at usbus6
uhub6: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus6
ugen7.1: <Intel> at usbus7
uhub7: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus7
acd0: DVDR <HL-DT-ST DVDRAM GSA-U20N/HX10> at ata3-master UDMA100 SATA 1.5Gb/s
hdac0: HDA Codec #0: Conexant CX20561 (Hermosa)
pcm0: <HDA Conexant CX20561 (Hermosa) PCM #0 Analog> at cad 0 nid 1 on hdac0
pcm1: <HDA Conexant CX20561 (Hermosa) PCM #1 Analog> at cad 0 nid 1 on hdac0
SMP: AP CPU #1 Launched!
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
uhub4: 2 ports with 2 removable, self powered
uhub5: 2 ports with 2 removable, self powered
uhub6: 2 ports with 2 removable, self powered
Root mount waiting for: usbus7 usbus3
uhub7: 6 ports with 6 removable, self powered
Root mount waiting for: usbus3
uhub3: 6 ports with 6 removable, self powered
Trying to mount root from ufs:/dev/ad4s1a
em0: promiscuous mode enabled
drm0: <Mobile Intel\M-B\M-. GM45 Express Chipset> on vgapci0
info: [drm] MSI enabled 1 message(s)
vgapci0: child drm0 requested pci_enable_busmaster
info: [drm] AGP at 0xd0000000 256MB
info: [drm] Initialized i915 1.6.0 20080730
drm0: [ITHREAD]
 
This is a problem in Suricata with certain rules. If possible update to 1.1 beta 1, or apply the attached patch.
 

Attachments

  • bug-on.patch
    1,012 bytes · Views: 218
inliniac said:
This is a problem in Suricata with certain rules. If possible update to 1.1 beta 1, or apply the attached patch.

I have used only EmergingThreat Suricata rules so far and I posted on this forum first to see how many persons are affected by this.

Anyway I built Suricata 1.1 beta and got it to run on my notebook.

I will let you know in a couple of days how things are going.

Thanks for your help.
 
Update:

Still many errors "ERRCODE: SC_ERR_ALPARSER(59)" such as in:

Code:
[100288] 29/12/2010 -- 00:18:06 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing 
"tls" app layer protocol, using network protocol 6, source IP address xxx.xxx.xxx.xxx, destination IP address xxx.xxx.xxx.xxx, src port 21511 and 
dst port 443
[100288] 29/12/2010 -- 00:20:06 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing 
"tls" app layer protocol, using network protocol 6, source IP address xxx.xxx.xxx.xxx, destination IP address xxx.xxx.xxx.xxx, src port 50937 and 
dst port 443
[100288] 29/12/2010 -- 00:23:06 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing 
"tls" app layer protocol, using network protocol 6, source IP address xxx.xxx.xxx.xxx, destination IP address xxx.xxx.xxx.xxx, src port 45761 and 
dst port 443
[100288] 29/12/2010 -- 00:23:17 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing 
"http" app layer protocol, using network protocol 6, source IP address xxx.xxx.xxx.xxx, destination IP address xxx.xxx.xxx.xxx, src port 20235 
and dst port 80
[100288] 29/12/2010 -- 00:23:36 - (app-layer-htp.c:503) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP 
server response: [1] [htp_response.c] [671] Unable to match response to request
[100288] 29/12/2010 -- 00:23:36 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing 
"http" app layer protocol, using network protocol 6, source IP address xxx.xxx.xxx.xxx, destination IP address xxx.xxx.xxx.xxx, src port 64361 
and dst port 80
[100288] 29/12/2010 -- 00:24:04 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing 
"tls" app layer protocol, using network protocol 6, source IP address xxx.xxx.xxx.xxx, destination IP address xxx.xxx.xxx.xxx, src port 34608 and 
dst port 443
 
Update:

No problem so far with Suricata 1.1 beta except for the [ERRCODE: SC_ERR_ALPARSER(59)] messages.

I don't know whether it is related or not to the way Suricata handles the rules. I however noted Suricata reported a lot of "http app layer protocol" errors before crashing, at least much more than it does now.
 
I'm testing tcpdump darpa datasets which have known attacks, however when suricata read them, i got so many errors such as the one below. This has to do with the rules that seems that are not fully compatible with suricata 1.0.0

I tried snort rules 2.8.5.3 and 2.9.0.2, also emerging rules getting a bunch of errors

I don't mind to fix a couple of signatures but I got hundreds of errors

Code:
[29697] 3/2/2011 -- 13:11:04 - (detect-http-uri.c:115) <Warning> (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri 
cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET 
$HTTP_PORTS (msg:"BACKDOOR w32.loosky.gen@mm runtime detection - notification"; flow:to_server,established; content:"/synctl/ping.pl"; 
fast_pattern; nocase; http_uri; content:"ip="; nocase; http_uri; content:"speed="; nocase; http_uri; metadata:policy security-ips drop; 
reference:url,[url]www.sophos.com/virusinfo/analyses/w32looskyl.html;[/url] classtype:trojan-activity; sid:6474; rev:5;)
 
Back
Top