<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1469016789032_2568">Last week we pushed out the botcc signatures from Emerging Threats to 125 suricata sensors. Some of the sensors continued to work fine, others would not finish loading the system. The logs showed this activity</div><div id="yui_3_16_0_ym19_1_1469016789032_2569"><br id="yui_3_16_0_ym19_1_1469016789032_2570"></div><div id="yui_3_16_0_ym19_1_1469016789032_2571">18/7/2016 -- 14:43:33 - <Info> - 2 rule files processed. 17404 rules successfully loaded, 3 rules failed</div><div id="yui_3_16_0_ym19_1_1469016789032_2572"> </div><div id="yui_3_16_0_ym19_1_1469016789032_2573">18/7/2016 -- 14:43:33 - <Info> - 17405 signatures processed. 2 are IP-only rules, 6837 are inspecting packet payload, 12413 inspect application layer, 0 are decoder event only</div><div id="yui_3_16_0_ym19_1_1469016789032_2574"> </div><div id="yui_3_16_0_ym19_1_1469016789032_2575">18/7/2016 -- 14:43:33 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete</div><div id="yui_3_16_0_ym19_1_1469016789032_2576"> </div><div id="yui_3_16_0_ym19_1_1469016789032_2577">18/7/2016 -- 14:43:33 - <Info> - building signature grouping structure, stage 2: building source address list... complete</div><div id="yui_3_16_0_ym19_1_1469016789032_2578"> </div><div id="yui_3_16_0_ym19_1_1469016789032_2579">Missing were the remaining lines.</div><div id="yui_3_16_0_ym19_1_1469016789032_2580"> </div><div id="yui_3_16_0_ym19_1_1469016789032_2581">18/7/2016 -- 14:43:40 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete</div><div id="yui_3_16_0_ym19_1_1469016789032_2582">18/7/2016 -- 14:43:43 - <Info> - Registered 17405 rule profiling counters.</div><div id="yui_3_16_0_ym19_1_1469016789032_2583">18/7/2016 -- 14:43:43 - <Info> - Threshold config parsed: 0 rule(s) found</div><div id="yui_3_16_0_ym19_1_1469016789032_2584">18/7/2016 -- 14:43:43 - <Notice> - Signature(s) loaded, Detect thread(s) activated.</div><div id="yui_3_16_0_ym19_1_1469016789032_2585"><br id="yui_3_16_0_ym19_1_1469016789032_2586"></div><div id="yui_3_16_0_ym19_1_1469016789032_2587"><br id="yui_3_16_0_ym19_1_1469016789032_2588"></div><div id="yui_3_16_0_ym19_1_1469016789032_2589"><br id="yui_3_16_0_ym19_1_1469016789032_2590"></div><div id="yui_3_16_0_ym19_1_1469016789032_2591">We removed the botcc signatures and the systems worked fine. </div><div id="yui_3_16_0_ym19_1_1469016789032_2592"><br id="yui_3_16_0_ym19_1_1469016789032_2593"></div><div id="yui_3_16_0_ym19_1_1469016789032_2594">Oddly enough, Monday morning, I tried the same signature set (although updated) and they loaded fine.</div><div id="yui_3_16_0_ym19_1_1469016789032_2595"><br id="yui_3_16_0_ym19_1_1469016789032_2596"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1469016789032_2597">Is there an explanation as to why this happened?</div></div></body></html>