[Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
Shant Kassardjian
shant at skylab.ca
Fri Jul 30 02:56:29 UTC 2010
Hello,
I can't seem to start suricata on FreeBSD 8.0
I have compiled with ./configure --enable-profiling --enable-ipfw
...
Suricata Configuration:
NFQueue support: no
IPFW support: yes
PF_RING support: no
Prelude support: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
CUDA enabled: no
DAG enabled: no
Profiling enabled: yes
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Unified native time: no
Non-bundled htp: no
edited suricata.yml file (see below)
Ran the following command:
# suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000
[100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1
[100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has been specified
...
Any idea what went wrong? error message doesn't say much..
[suricata.yml config file]:
%YAML 1.1
---
max-pending-packets: 50
action-order:
- pass
- drop
- reject
- alert
default-log-dir: /var/log/
outputs:
- fast:
enabled: yes
filename: fast.log
defrag:
max-frags: 65535
prealloc: yes
timeout: 60
# threshold-file: /etc/suricata/threshold.config
# The detection engine builds internal groups of signatures. The engine
# allow us to specify the profile to use for them, to manage memory on an
# efficient way keeping a good performance. For the profile keyword you
#Â can use the words "low", "medium", "high" or "custom". If you use custom
# make sure to define the values at "- custom-values" as your convenience.
# Usually you would prefer medium/high/low
detect-engine:
- profile: high
- custom-values:
toclient_src_groups: 2
toclient_dst_groups: 2
toclient_sp_groups: 2
toclient_dp_groups: 3
toserver_src_groups: 2
toserver_dst_groups: 4
toserver_sp_groups: 2
toserver_dp_groups: 25
threading:
set_cpu_affinity: no
detect_thread_ratio: 1.5
# Select the multi pattern algorithm you want to run for scan/search the
# in the engine. The supported algorithms are b2g, b3g and wumanber.
#
mpm-algo: b2g
pattern-matcher:
- b2g:
scan_algo: B2gScanBNDMq
search_algo: B2gSearchBNDMq
hash_size: low
bf_size: medium
# - b3g:
# scan_algo: B3gScanBNDMq
# search_algo: B3gSearchBNDMq
# hash_size: low
# bf_size: medium
# - wumanber:
# hash_size: low
# bf_size: medium
flow:
memcap: 33554432
hash_size: 65536
prealloc: 10000
emergency_recovery: 30
prune_flows: 5
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency_new: 10
emergency_established: 100
emergency_closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency_new: 10
emergency_established: 300
emergency_closed: 20
udp:
new: 30
established: 300
emergency_new: 10
emergency_established: 100
icmp:
new: 30
established: 300
emergency_new: 10
emergency_established: 100
# Stream engine settings. Here the TCP stream tracking and reaasembly
# engine is configured.
#
# stream:
# memcap: 33554432 # 32mb tcp session memcap
# max_sessions: 262144 # 256k concurrent sessions
# prealloc_sessions: 32768 # 32k sessions prealloc'd
# midstream: false # don't allow midstream session pickups
# async_oneside: false # don't enable async stream handling
# reassembly:
# memcap: 67108864 # 64mb tcp reassembly memcap
# depth: 1048576 # 1 MB reassembly depth
stream:
memcap: 33554432
reassembly:
memcap: 67108864
depth: 1048576
logging:
default-log-level: info
#default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
#default-output-filter:
outputs:
- console:
enabled: no
- file:
enabled: yes
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
ipfw:
#ipfw-reinjection-rule-number: 5500
default-rule-path: /usr/local/etc/suricata/rules/
rule-files:
# - attack-responses.rules
# - backdoor.rules
# - bad-traffic.rules
# - chat.rules
# - ddos.rules
# - deleted.rules
# - dns.rules
# - dos.rules
# - experimental.rules
# - exploit.rules
# - finger.rules
# - ftp.rules
# - icmp-info.rules
# - icmp.rules
# - imap.rules
# - info.rules
- local.rules
# - misc.rules
# - multimedia.rules
# - mysql.rules
# - netbios.rules
# - nntp.rules
# - oracle.rules
# - other-ids.rules
# - p2p.rules
# - policy.rules
# - pop2.rules
# - pop3.rules
# - porn.rules
# - rpc.rules
# - rservices.rules
# - scada.rules
# - scan.rules
# - shellcode.rules
# - smtp.rules
# - snmp.rules
# - specific-threats.rules
# - spyware-put.rules
# - sql.rules
# - telnet.rules
# - tftp.rules
# - virus.rules
# - voip.rules
# - web-activex.rules
# - web-attacks.rules
# - web-cgi.rules
# - web-client.rules
# - web-coldfusion.rules
# - web-frontpage.rules
# - web-iis.rules
# - web-misc.rules
# - web-php.rules
# - x11.rules
# - emerging-attack_response.rules
# - emerging-dos.rules
# - emerging-exploit.rules
# - emerging-game.rules
# - emerging-inappropriate.rules
# - emerging-malware.rules
# - emerging-p2p.rules
# - emerging-policy.rules
# - emerging-scan.rules
# - emerging-virus.rules
# - emerging-voip.rules
# - emerging-web.rules
# - emerging-web_client.rules
# - emerging-web_server.rules
# - emerging-web_specific_apps.rules
# - emerging-user_agents.rules
# - emerging-current_events.rules
classification-file: /usr/local/etc/suricata/classification.config
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: any
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: any
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
# Host specific policies for defragmentation and TCP stream
# reassembly. The host OS lookup is done using a radix tree, just
# like a routing table so the most specific entry matches.
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd_right: []
old_linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
###########################################################################
# Configure libhtp.
#
#
# default-config: Used when no server-config matches
# personality: List of personalities used by default
#
# server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block
# personalitiy: List of personalities used by this block
#
# Currently Available Personalities:
# Minimal
# Generic
# IDS (default)
# IIS_4_0
# IIS_5_0
# IIS_5_1
# IIS_6_0
# IIS_7_0
# IIS_7_5
# Apache
# Apache_2_2
###########################################################################
libhtp:
default-config:
personality: IDS
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
profiling:
rules:
enabled: yes
# Sort options: ticks, avgticks, checks, matches
sort: avgticks
# Limit the number of items printed at exit.
limit: 100
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100730/50371278/attachment-0002.html>
More information about the Oisf-users
mailing list