I reinstalled suricata according to the above instructions.
Suricata does not start unless I change mpm-algo in /etc/suricata/suricata.yaml from “auto” to “ac-bs” for example. “auto” returns an error. But this file sshall not be modified manually. So, where can I change this permanenty?
Moreover Suricata starts with many error messages like
9/10/2016 – 17:46:49 - - This is Suricata version 3.0 RELEASE
9/10/2016 – 17:46:49 - - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - LIBHTP Ignoring unknown default config: response-body-decompress-layer-limit
9/10/2016 – 17:46:50 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
9/10/2016 – 17:46:50 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:“MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection”; flow:to_server,established; dsize:267<>276; content:“User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|”; fast_pattern:only; http_header; urilen:159; pcre:”/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /etc/suricata/rules/suricata.rules at line 1452
AFAIK, mpm-algo can’t break suricata.
Some error messages are “normal”, they don’t prevent suricata from running, they only highlight some problems with rules.
Unfortunately, I can’t reproduce your problem with the above information.
And I have no clue on what the problem may be.
Are you sure that suricata is not running? See the Services page.
With mpm-algo=auto Suricata stops immediatley after starting. The log says:
" - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid mpm algo supplied in the yaml conf file: “auto”"
If I manually change “auto” to something else, suricata starts (logging the said error messages) but keeps running.
Which suricata version do you use? From which repo?
Oct 04 22:40:52 Erased: nethserver-snort-1.1.0-1.ns7.noarch
Oct 04 22:51:14 Installed: libnet-1.1.6-7.el7.x86_64
Oct 04 22:51:14 Installed: GeoIP-1.5.0-9.el7.x86_64
Oct 04 22:51:15 Installed: jansson-2.4-6.el7.x86_64
Oct 04 22:51:15 Installed: libyaml-0.1.4-11.el7_0.x86_64
Oct 04 22:51:19 Installed: suricata-3.1.2-1.el7.x86_64
Oct 04 22:51:19 Installed: nethserver-suricata-1.0.0-1.ns7.noarch
Maybe that’s the point. I have suricata-3.0-0.1.el7.x86_64 installed.
How do I get your version? With wget? Or can I activate a repo so that suricata is updated automatically?
@rasi, I think you need to tell us what you did. Why did you have a different suricata version? How did you update?
Try to configure IPS from the the server-manager web interface, it may fix your errors.
Meanwhile everything is alright, so far. Since suricata is not in the nethserver repo I had installed it with wget according to an earlier thread. That’s how I got the older version.
After activating the epel repo suricata was updated to the correct version which accepts mpm-algo=auto. At last I found out that the log files must be owned by suricata which is new as well. Before root was the owner.