<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Hello,<BR><br><BR>I can't seem to start suricata on FreeBSD 8.0<BR><br><BR>I have compiled with ./configure --enable-profiling --enable-ipfw <BR>...<BR>Suricata Configuration:<br> NFQueue support: no<br> IPFW support: yes<br> PF_RING support: no<br> Prelude support: no<br> Unit tests enabled: no<br> Debug output enabled: no<br> Debug validation enabled: no<br> CUDA enabled: no<br> DAG enabled: no<br> Profiling enabled: yes<br> GCC Protect enabled: no<br> GCC march native enabled: yes<br> GCC Profile enabled: no<br> Unified native time: no<br> Non-bundled htp: no<br><br><BR>edited suricata.yml file (see below)<BR><br><BR>Ran the following command:<BR><br><BR># suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000 <br>[100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1<br>[100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has been specified<br>...<br><BR><br><BR>Any idea what went wrong? error message doesn't say much..<BR><br><BR><br><BR>[suricata.yml config file]:<BR><br><BR>%YAML 1.1<br>---<br><br>max-pending-packets: 50<br><br>action-order:<br> - pass<br> - drop<br> - reject<br> - alert<br><br><br>default-log-dir: /var/log/<br><br>outputs:<br> - fast:<br> enabled: yes<br> filename: fast.log<br><br><br>defrag:<br> max-frags: 65535<br> prealloc: yes<br> timeout: 60<br><br># threshold-file: /etc/suricata/threshold.config<br><br># The detection engine builds internal groups of signatures. The engine<br># allow us to specify the profile to use for them, to manage memory on an<br># efficient way keeping a good performance. For the profile keyword you<br>#Â can use the words "low", "medium", "high" or "custom". If you use custom<br># make sure to define the values at "- custom-values" as your convenience.<br># Usually you would prefer medium/high/low<br>detect-engine:<br> - profile: high<br> - custom-values:<br> toclient_src_groups: 2<br> toclient_dst_groups: 2<br> toclient_sp_groups: 2<br> toclient_dp_groups: 3<br> toserver_src_groups: 2<br> toserver_dst_groups: 4<br> toserver_sp_groups: 2<br> toserver_dp_groups: 25<br><br>threading:<br> set_cpu_affinity: no<br> detect_thread_ratio: 1.5<br><br># Select the multi pattern algorithm you want to run for scan/search the<br># in the engine. The supported algorithms are b2g, b3g and wumanber.<br>#<br>mpm-algo: b2g<br><br>pattern-matcher:<br> - b2g:<br> scan_algo: B2gScanBNDMq<br> search_algo: B2gSearchBNDMq<br> hash_size: low<br> bf_size: medium<br># - b3g:<br># scan_algo: B3gScanBNDMq<br># search_algo: B3gSearchBNDMq<br># hash_size: low<br># bf_size: medium<br># - wumanber:<br># hash_size: low<br># bf_size: medium<br><br>flow:<br> memcap: 33554432<br> hash_size: 65536<br> prealloc: 10000<br> emergency_recovery: 30<br> prune_flows: 5<br><br>flow-timeouts:<br><br> default:<br> new: 30<br> established: 300<br> closed: 0<br> emergency_new: 10<br> emergency_established: 100<br> emergency_closed: 0<br> tcp:<br> new: 60<br> established: 3600<br> closed: 120<br> emergency_new: 10<br> emergency_established: 300<br> emergency_closed: 20<br> udp:<br> new: 30<br> established: 300<br> emergency_new: 10<br> emergency_established: 100<br> icmp:<br> new: 30<br> established: 300<br> emergency_new: 10<br> emergency_established: 100<br><br># Stream engine settings. Here the TCP stream tracking and reaasembly<br># engine is configured.<br>#<br># stream:<br># memcap: 33554432 # 32mb tcp session memcap<br># max_sessions: 262144 # 256k concurrent sessions<br># prealloc_sessions: 32768 # 32k sessions prealloc'd<br># midstream: false # don't allow midstream session pickups<br># async_oneside: false # don't enable async stream handling<br># reassembly:<br># memcap: 67108864 # 64mb tcp reassembly memcap<br># depth: 1048576 # 1 MB reassembly depth<br>stream:<br> memcap: 33554432<br> reassembly:<br> memcap: 67108864<br> depth: 1048576<br><br>logging:<br> default-log-level: info<br> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "<br> #default-output-filter:<br><br> outputs:<br> - console:<br> enabled: no<br> - file:<br> enabled: yes<br> filename: /var/log/suricata.log<br> - syslog:<br> enabled: no<br> facility: local5<br> format: "[%i] <%d> -- "<br><br>ipfw:<br><br> #ipfw-reinjection-rule-number: 5500<br><br>default-rule-path: /usr/local/etc/suricata/rules/<br>rule-files:<br># - attack-responses.rules<br># - backdoor.rules<br># - bad-traffic.rules<br># - chat.rules<br># - ddos.rules<br># - deleted.rules<br># - dns.rules<br># - dos.rules<br># - experimental.rules<br># - exploit.rules<br># - finger.rules<br># - ftp.rules<br># - icmp-info.rules<br># - icmp.rules<br># - imap.rules<br># - info.rules<br> - local.rules<br># - misc.rules<br># - multimedia.rules<br># - mysql.rules<br># - netbios.rules<br># - nntp.rules<br># - oracle.rules<br># - other-ids.rules<br># - p2p.rules<br># - policy.rules<br># - pop2.rules<br># - pop3.rules<br># - porn.rules<br># - rpc.rules<br># - rservices.rules<br># - scada.rules<br># - scan.rules<br># - shellcode.rules<br># - smtp.rules<br># - snmp.rules<br># - specific-threats.rules<br># - spyware-put.rules<br># - sql.rules<br># - telnet.rules<br># - tftp.rules<br># - virus.rules<br># - voip.rules<br># - web-activex.rules<br># - web-attacks.rules<br># - web-cgi.rules<br># - web-client.rules<br># - web-coldfusion.rules<br># - web-frontpage.rules<br># - web-iis.rules<br># - web-misc.rules<br># - web-php.rules<br># - x11.rules<br># - emerging-attack_response.rules<br># - emerging-dos.rules<br># - emerging-exploit.rules<br># - emerging-game.rules<br># - emerging-inappropriate.rules<br># - emerging-malware.rules<br># - emerging-p2p.rules<br># - emerging-policy.rules<br># - emerging-scan.rules<br># - emerging-virus.rules<br># - emerging-voip.rules<br># - emerging-web.rules<br># - emerging-web_client.rules<br># - emerging-web_server.rules<br># - emerging-web_specific_apps.rules<br># - emerging-user_agents.rules<br># - emerging-current_events.rules<br><br>classification-file: /usr/local/etc/suricata/classification.config<br><br>vars:<br><br> address-groups:<br><br> HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"<br><br> EXTERNAL_NET: any<br><br> HTTP_SERVERS: "$HOME_NET"<br><br> SMTP_SERVERS: "$HOME_NET"<br><br> SQL_SERVERS: "$HOME_NET"<br><br> DNS_SERVERS: "$HOME_NET"<br><br> TELNET_SERVERS: "$HOME_NET"<br><br> AIM_SERVERS: any<br><br> port-groups:<br><br> HTTP_PORTS: "80"<br><br> SHELLCODE_PORTS: "!80"<br><br> ORACLE_PORTS: 1521<br><br> SSH_PORTS: 22<br><br># Host specific policies for defragmentation and TCP stream<br># reassembly. The host OS lookup is done using a radix tree, just<br># like a routing table so the most specific entry matches.<br>host-os-policy:<br> # Make the default policy windows.<br> windows: [0.0.0.0/0]<br> bsd: []<br> bsd_right: []<br> old_linux: []<br> linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]<br> old_solaris: []<br> solaris: ["::1"]<br> hpux10: []<br> hpux11: []<br> irix: []<br> macos: []<br> vista: []<br> windows2k3: []<br><br>###########################################################################<br># Configure libhtp.<br>#<br>#<br># default-config: Used when no server-config matches<br># personality: List of personalities used by default<br>#<br># server-config: List of server configurations to use if address matches<br># address: List of ip addresses or networks for this block<br># personalitiy: List of personalities used by this block<br>#<br># Currently Available Personalities:<br># Minimal<br># Generic<br># IDS (default)<br># IIS_4_0<br># IIS_5_0<br># IIS_5_1<br># IIS_6_0<br># IIS_7_0<br># IIS_7_5<br># Apache<br># Apache_2_2<br>###########################################################################<br>libhtp:<br><br> default-config:<br> personality: IDS<br><br> server-config:<br><br> - apache:<br> address: [192.168.1.0/24, 127.0.0.0/8, "::1"]<br> personality: Apache_2_2<br><br> - iis7:<br> address:<br> - 192.168.0.0/24<br> - 192.168.10.0/24<br> personality: IIS_7_0<br><br>profiling:<br><br> rules:<br><br> enabled: yes<br><br> # Sort options: ticks, avgticks, checks, matches<br> sort: avgticks<br><br> # Limit the number of items printed at exit.<br> limit: 100<br><br><BR> </body>
</html>