[SOLVED] Suricata - Cron Daemon Error

Today I made the latest updates for NS 7b2:

Sep 30 14:06:55 Updated: nethserver-base-3.0.9-1.ns7.noarch
Sep 30 14:06:56 Updated: 1:openssl-libs-1.0.1e-51.el7_2.7.x86_64
Sep 30 14:06:57 Updated: nethserver-firewall-base-3.1.0-1.ns7.noarch
Sep 30 14:06:57 Updated: 32:bind-license-9.9.4-29.el7_2.4.noarch
Sep 30 14:06:58 Updated: 32:bind-libs-9.9.4-29.el7_2.4.x86_64
Sep 30 14:07:20 Installed: kernel-lt-4.4.22-1.el7.elrepo.x86_64
Sep 30 14:07:41 Updated: kmod-xt_ndpi-1.0.0-1.ns7.x86_64
Sep 30 14:07:41 Updated: nethserver-lang-en-1.1.4-1.ns7.noarch
Sep 30 14:07:44 Updated: nethserver-httpd-admin-2.0.3-1.ns7.noarch
Sep 30 14:07:44 Updated: nethserver-ndpi-1.0.0-1.ns7.noarch
Sep 30 14:07:45 Updated: 32:bind-utils-9.9.4-29.el7_2.4.x86_64
Sep 30 14:07:45 Updated: 32:bind-libs-lite-9.9.4-29.el7_2.4.x86_64
Sep 30 14:07:46 Updated: nethserver-firewall-base-ui-3.1.0-1.ns7.noarch
Sep 30 14:07:47 Updated: nethserver-openvpn-1.4.1-1.ns7.noarch
Sep 30 14:07:47 Updated: 1:openssl-1.0.1e-51.el7_2.7.x86_64
Sep 30 14:07:48 Updated: nethserver-pulledpork-2.0.0-1.ns7.noarch
Sep 30 14:07:50 Updated: squidGuard-1.4-26.1.ns7.x86_64

One of the updates (nethserver-pulledpork-2.0.0-1.ns7.noarch), has replaced Snort with Suricata.

The following error has occurred:

1 Like

Thanks for reporting this! @giacomo @filippo_carletti did you catch it yet?

Sorry, but I can’t reproduce the problem.

I’ve installed following packages:
nethserver-pulledpork-2.0.0-1.ns7.noarch
nethserver-suricata-1.0.0-1.ns7.noarch
pulledpork-0.7.2-1.ns7.noarch

1 Like

I removed and then I reinstalled all the above packages.
No issues after that.

Thank you Giacomo!

1 Like

I reinstalled suricata according to the above instructions.
Suricata does not start unless I change mpm-algo in /etc/suricata/suricata.yaml from “auto” to “ac-bs” for example. “auto” returns an error. But this file sshall not be modified manually. So, where can I change this permanenty?

Moreover Suricata starts with many error messages like
9/10/2016 – 17:46:49 - - This is Suricata version 3.0 RELEASE
9/10/2016 – 17:46:49 - - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - LIBHTP Ignoring unknown default config: response-body-decompress-layer-limit
9/10/2016 – 17:46:50 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
9/10/2016 – 17:46:50 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:“MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection”; flow:to_server,established; dsize:267<>276; content:“User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|”; fast_pattern:only; http_header; urilen:159; pcre:”/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /etc/suricata/rules/suricata.rules at line 1452

Any ideas?

AFAIK, mpm-algo can’t break suricata.
Some error messages are “normal”, they don’t prevent suricata from running, they only highlight some problems with rules.
Unfortunately, I can’t reproduce your problem with the above information.
And I have no clue on what the problem may be.
Are you sure that suricata is not running? See the Services page.

Hi,

I’m agree with @filippo_carletti .
I have also some kind of “errors” like yours, in my log files:

6/10/2016 – 11:37:29 - - [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp
$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC
Win.Trojan.GateKeylogger initial exfiltration attempt”;
flow:to_server,established; content:”/gate.php"; fast_pattern:only;
content:“pc=”; http_client_body; content:"&admin="; distance:0;
http_client_body; content:"&os="; distance:0; http_client_body;
content:"&hid="; distance:0; http_client_body; content:"&arc=";
distance:0; http_client_body; content:“User-Agent|3A 20|”; http_header;
pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/;
classtype:trojan-activity; sid:38562; rev:1;)" from file
/etc/suricata/rules/suricata.rules at line 2975
6/10/2016 – 11:37:29 - - [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - “http_stat_code” keyword seen with a
sticky buffer still set. Reset sticky buffer with pkt_data before using
the modifier.
6/10/2016 – 11:37:29 - - [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp
$EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:“MALWARE-CNC
Win.Trojan.GateKeylogger fake 404 response”; flow:to_client,established;
file_data; content:“200”; http_stat_code; content:“OK”; http_stat_msg;
content:”>404 Not Found<"; fast_pattern:only; content:" requested
URL / was not found “; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/;
classtype:trojan-activity; sid:38563; rev:1;)” from file
/etc/suricata/rules/suricata.rules at line 2976
6/10/2016 – 11:37:29 - - all 6 packet processing threads, 4 management threads initialized, engine started.

Did you reboot NS after install the rpms?

With mpm-algo=auto Suricata stops immediatley after starting. The log says:
" - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid mpm algo supplied in the yaml conf file: “auto”"
If I manually change “auto” to something else, suricata starts (logging the said error messages) but keeps running.
Which suricata version do you use? From which repo?

suricata-3.1.2-1.el7.x86_64 from EPEL.

From yum.log:

Oct 04 22:40:52 Erased: nethserver-snort-1.1.0-1.ns7.noarch
Oct 04 22:51:14 Installed: libnet-1.1.6-7.el7.x86_64
Oct 04 22:51:14 Installed: GeoIP-1.5.0-9.el7.x86_64
Oct 04 22:51:15 Installed: jansson-2.4-6.el7.x86_64
Oct 04 22:51:15 Installed: libyaml-0.1.4-11.el7_0.x86_64
Oct 04 22:51:19 Installed: suricata-3.1.2-1.el7.x86_64
Oct 04 22:51:19 Installed: nethserver-suricata-1.0.0-1.ns7.noarch

EDIT:

yum --enablerepo=nethserver-testing install nethserver-suricata-1.0.0-1.ns7.noarch

Maybe that’s the point. I have suricata-3.0-0.1.el7.x86_64 installed.
How do I get your version? With wget? Or can I activate a repo so that suricata is updated automatically?

Got it already.

Now the mpm-algo problem is solved. Bit when suricata starts I get this:
9/10/2016 – 19:34:02 - - This is Suricata version 3.1.2 RELEASE
9/10/2016 – 19:34:10 - - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: “/var/log/suricata//fast.log”: Permission denied
9/10/2016 – 19:34:10 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
9/10/2016 – 19:34:10 - - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: “/var/log/suricata//eve.json”: Permission denied
9/10/2016 – 19:34:10 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed

The permissions of all log files are 644.

Did you reboot NS?

@rasi, I think you need to tell us what you did. Why did you have a different suricata version? How did you update?
Try to configure IPS from the the server-manager web interface, it may fix your errors.

Meanwhile everything is alright, so far. Since suricata is not in the nethserver repo I had installed it with wget according to an earlier thread. That’s how I got the older version.
After activating the epel repo suricata was updated to the correct version which accepts mpm-algo=auto. At last I found out that the log files must be owned by suricata which is new as well. Before root was the owner.

Thanks for your help!

3 Likes

Thanks for the feedback.