
<html>

<head>

<style><!--

.hmmessage P

{

margin:0px;

padding:0px

}

body.hmmessage

{

font-size: 10pt;

font-family:Tahoma

}

--></style>

</head>

<body class='hmmessage'>

Hello,<BR><br><BR>I can't seem to start suricata on FreeBSD 8.0<BR><br><BR>I have compiled with  ./configure --enable-profiling --enable-ipfw   <BR>...<BR>Suricata Configuration:<br>  NFQueue support:          no<br>  IPFW support:             yes<br>  PF_RING support:          no<br>  Prelude support:          no<br>  Unit tests enabled:       no<br>  Debug output enabled:     no<br>  Debug validation enabled: no<br>  CUDA enabled:             no<br>  DAG enabled:              no<br>  Profiling enabled:        yes<br>  GCC Protect enabled:      no<br>  GCC march native enabled: yes<br>  GCC Profile enabled:      no<br>  Unified native time:      no<br>  Non-bundled htp:          no<br><br><BR>edited suricata.yml file (see below)<BR><br><BR>Ran the following command:<BR><br><BR># suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000                                               <br>[100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1<br>[100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has been specified<br>...<br><BR><br><BR>Any idea what went wrong? error message doesn't say much..<BR><br><BR><br><BR>[suricata.yml config file]:<BR><br><BR>%YAML 1.1<br>---<br><br>max-pending-packets: 50<br><br>action-order:<br>  - pass<br>  - drop<br>  - reject<br>  - alert<br><br><br>default-log-dir: /var/log/<br><br>outputs:<br>  - fast:<br>      enabled: yes<br>      filename: fast.log<br><br><br>defrag:<br>  max-frags: 65535<br>  prealloc: yes<br>  timeout: 60<br><br># threshold-file: /etc/suricata/threshold.config<br><br># The detection engine builds internal groups of signatures. The engine<br># allow us to specify the profile to use for them, to manage memory on an<br># efficient way keeping a good performance. For the profile keyword you<br>#Ā can use the words "low", "medium", "high" or "custom". If you use custom<br># make sure to define the values at "- custom-values" as your convenience.<br># Usually you would prefer medium/high/low<br>detect-engine:<br>  - profile: high<br>  - custom-values:<br>      toclient_src_groups: 2<br>      toclient_dst_groups: 2<br>      toclient_sp_groups: 2<br>      toclient_dp_groups: 3<br>      toserver_src_groups: 2<br>      toserver_dst_groups: 4<br>      toserver_sp_groups: 2<br>      toserver_dp_groups: 25<br><br>threading:<br>  set_cpu_affinity: no<br>  detect_thread_ratio: 1.5<br><br># Select the multi pattern algorithm you want to run for scan/search the<br># in the engine. The supported algorithms are b2g, b3g and wumanber.<br>#<br>mpm-algo: b2g<br><br>pattern-matcher:<br>  - b2g:<br>      scan_algo: B2gScanBNDMq<br>      search_algo: B2gSearchBNDMq<br>      hash_size: low<br>      bf_size: medium<br>#  - b3g:<br>#      scan_algo: B3gScanBNDMq<br>#      search_algo: B3gSearchBNDMq<br>#      hash_size: low<br>#      bf_size: medium<br>#  - wumanber:<br>#      hash_size: low<br>#      bf_size: medium<br><br>flow:<br>  memcap: 33554432<br>  hash_size: 65536<br>  prealloc: 10000<br>  emergency_recovery: 30<br>  prune_flows: 5<br><br>flow-timeouts:<br><br>  default:<br>    new: 30<br>    established: 300<br>    closed: 0<br>    emergency_new: 10<br>    emergency_established: 100<br>    emergency_closed: 0<br>  tcp:<br>    new: 60<br>    established: 3600<br>    closed: 120<br>    emergency_new: 10<br>    emergency_established: 300<br>    emergency_closed: 20<br>  udp:<br>    new: 30<br>    established: 300<br>    emergency_new: 10<br>    emergency_established: 100<br>  icmp:<br>    new: 30<br>    established: 300<br>    emergency_new: 10<br>    emergency_established: 100<br><br># Stream engine settings. Here the TCP stream tracking and reaasembly<br># engine is configured.<br>#<br># stream:<br>#   memcap: 33554432            # 32mb tcp session memcap<br>#   max_sessions: 262144        # 256k concurrent sessions<br>#   prealloc_sessions: 32768    # 32k sessions prealloc'd<br>#   midstream: false            # don't allow midstream session pickups<br>#   async_oneside: false        # don't enable async stream handling<br>#   reassembly:<br>#     memcap: 67108864          # 64mb tcp reassembly memcap<br>#     depth: 1048576            # 1 MB reassembly depth<br>stream:<br>  memcap: 33554432<br>  reassembly:<br>    memcap: 67108864<br>    depth: 1048576<br><br>logging:<br>  default-log-level: info<br>  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "<br>  #default-output-filter:<br><br>  outputs:<br>  - console:<br>      enabled: no<br>  - file:<br>      enabled: yes<br>      filename: /var/log/suricata.log<br>  - syslog:<br>      enabled: no<br>      facility: local5<br>      format: "[%i] <%d> -- "<br><br>ipfw:<br><br>  #ipfw-reinjection-rule-number: 5500<br><br>default-rule-path: /usr/local/etc/suricata/rules/<br>rule-files:<br># - attack-responses.rules<br># - backdoor.rules<br># - bad-traffic.rules<br># - chat.rules<br># - ddos.rules<br># - deleted.rules<br># - dns.rules<br># - dos.rules<br># - experimental.rules<br># - exploit.rules<br># - finger.rules<br># - ftp.rules<br># - icmp-info.rules<br># - icmp.rules<br># - imap.rules<br># - info.rules<br>  - local.rules<br># - misc.rules<br># - multimedia.rules<br># - mysql.rules<br># - netbios.rules<br># - nntp.rules<br># - oracle.rules<br># - other-ids.rules<br># - p2p.rules<br># - policy.rules<br># - pop2.rules<br># - pop3.rules<br># - porn.rules<br># - rpc.rules<br># - rservices.rules<br># - scada.rules<br># - scan.rules<br># - shellcode.rules<br># - smtp.rules<br># - snmp.rules<br># - specific-threats.rules<br># - spyware-put.rules<br># - sql.rules<br># - telnet.rules<br># - tftp.rules<br># - virus.rules<br># - voip.rules<br># - web-activex.rules<br># - web-attacks.rules<br># - web-cgi.rules<br># - web-client.rules<br># - web-coldfusion.rules<br># - web-frontpage.rules<br># - web-iis.rules<br># - web-misc.rules<br># - web-php.rules<br># - x11.rules<br># - emerging-attack_response.rules<br># - emerging-dos.rules<br># - emerging-exploit.rules<br># - emerging-game.rules<br># - emerging-inappropriate.rules<br># - emerging-malware.rules<br># - emerging-p2p.rules<br># - emerging-policy.rules<br># - emerging-scan.rules<br># - emerging-virus.rules<br># - emerging-voip.rules<br># - emerging-web.rules<br># - emerging-web_client.rules<br># - emerging-web_server.rules<br># - emerging-web_specific_apps.rules<br># - emerging-user_agents.rules<br># - emerging-current_events.rules<br><br>classification-file: /usr/local/etc/suricata/classification.config<br><br>vars:<br><br>  address-groups:<br><br>    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"<br><br>    EXTERNAL_NET: any<br><br>    HTTP_SERVERS: "$HOME_NET"<br><br>    SMTP_SERVERS: "$HOME_NET"<br><br>    SQL_SERVERS: "$HOME_NET"<br><br>    DNS_SERVERS: "$HOME_NET"<br><br>    TELNET_SERVERS: "$HOME_NET"<br><br>    AIM_SERVERS: any<br><br>  port-groups:<br><br>    HTTP_PORTS: "80"<br><br>    SHELLCODE_PORTS: "!80"<br><br>    ORACLE_PORTS: 1521<br><br>    SSH_PORTS: 22<br><br># Host specific policies for defragmentation and TCP stream<br># reassembly.  The host OS lookup is done using a radix tree, just<br># like a routing table so the most specific entry matches.<br>host-os-policy:<br>  # Make the default policy windows.<br>  windows: [0.0.0.0/0]<br>  bsd: []<br>  bsd_right: []<br>  old_linux: []<br>  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]<br>  old_solaris: []<br>  solaris: ["::1"]<br>  hpux10: []<br>  hpux11: []<br>  irix: []<br>  macos: []<br>  vista: []<br>  windows2k3: []<br><br>###########################################################################<br># Configure libhtp.<br>#<br>#<br># default-config:  Used when no server-config matches<br>#   personality:   List of personalities used by default<br>#<br># server-config:   List of server configurations to use if address matches<br>#   address:       List of ip addresses or networks for this block<br>#   personalitiy:  List of personalities used by this block<br>#<br># Currently Available Personalities:<br>#   Minimal<br>#   Generic<br>#   IDS (default)<br>#   IIS_4_0<br>#   IIS_5_0<br>#   IIS_5_1<br>#   IIS_6_0<br>#   IIS_7_0<br>#   IIS_7_5<br>#   Apache<br>#   Apache_2_2<br>###########################################################################<br>libhtp:<br><br>   default-config:<br>     personality: IDS<br><br>   server-config:<br><br>     - apache:<br>         address: [192.168.1.0/24, 127.0.0.0/8, "::1"]<br>         personality: Apache_2_2<br><br>     - iis7:<br>         address:<br>           - 192.168.0.0/24<br>           - 192.168.10.0/24<br>         personality: IIS_7_0<br><br>profiling:<br><br>  rules:<br><br>    enabled: yes<br><br>    # Sort options: ticks, avgticks, checks, matches<br>    sort: avgticks<br><br>    # Limit the number of items printed at exit.<br>    limit: 100<br><br><BR>                                          </body>

</html>