[Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]

Shant Kassardjian shant at skylab.ca
Fri Jul 30 02:56:29 UTC 2010


Hello,


I can't seem to start suricata on FreeBSD 8.0


I have compiled with  ./configure --enable-profiling --enable-ipfw   
...
Suricata Configuration:
  NFQueue support:          no
  IPFW support:             yes
  PF_RING support:          no
  Prelude support:          no
  Unit tests enabled:       no
  Debug output enabled:     no
  Debug validation enabled: no
  CUDA enabled:             no
  DAG enabled:              no
  Profiling enabled:        yes
  GCC Protect enabled:      no
  GCC march native enabled: yes
  GCC Profile enabled:      no
  Unified native time:      no
  Non-bundled htp:          no


edited suricata.yml file (see below)


Ran the following command:


# suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000                                               
[100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1
[100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has been specified
...



Any idea what went wrong? error message doesn't say much..




[suricata.yml config file]:


%YAML 1.1
---

max-pending-packets: 50

action-order:
  - pass
  - drop
  - reject
  - alert


default-log-dir: /var/log/

outputs:
  - fast:
      enabled: yes
      filename: fast.log


defrag:
  max-frags: 65535
  prealloc: yes
  timeout: 60

# threshold-file: /etc/suricata/threshold.config

# The detection engine builds internal groups of signatures. The engine
# allow us to specify the profile to use for them, to manage memory on an
# efficient way keeping a good performance. For the profile keyword you
#Â can use the words "low", "medium", "high" or "custom". If you use custom
# make sure to define the values at "- custom-values" as your convenience.
# Usually you would prefer medium/high/low
detect-engine:
  - profile: high
  - custom-values:
      toclient_src_groups: 2
      toclient_dst_groups: 2
      toclient_sp_groups: 2
      toclient_dp_groups: 3
      toserver_src_groups: 2
      toserver_dst_groups: 4
      toserver_sp_groups: 2
      toserver_dp_groups: 25

threading:
  set_cpu_affinity: no
  detect_thread_ratio: 1.5

# Select the multi pattern algorithm you want to run for scan/search the
# in the engine. The supported algorithms are b2g, b3g and wumanber.
#
mpm-algo: b2g

pattern-matcher:
  - b2g:
      scan_algo: B2gScanBNDMq
      search_algo: B2gSearchBNDMq
      hash_size: low
      bf_size: medium
#  - b3g:
#      scan_algo: B3gScanBNDMq
#      search_algo: B3gSearchBNDMq
#      hash_size: low
#      bf_size: medium
#  - wumanber:
#      hash_size: low
#      bf_size: medium

flow:
  memcap: 33554432
  hash_size: 65536
  prealloc: 10000
  emergency_recovery: 30
  prune_flows: 5

flow-timeouts:

  default:
    new: 30
    established: 300
    closed: 0
    emergency_new: 10
    emergency_established: 100
    emergency_closed: 0
  tcp:
    new: 60
    established: 3600
    closed: 120
    emergency_new: 10
    emergency_established: 300
    emergency_closed: 20
  udp:
    new: 30
    established: 300
    emergency_new: 10
    emergency_established: 100
  icmp:
    new: 30
    established: 300
    emergency_new: 10
    emergency_established: 100

# Stream engine settings. Here the TCP stream tracking and reaasembly
# engine is configured.
#
# stream:
#   memcap: 33554432            # 32mb tcp session memcap
#   max_sessions: 262144        # 256k concurrent sessions
#   prealloc_sessions: 32768    # 32k sessions prealloc'd
#   midstream: false            # don't allow midstream session pickups
#   async_oneside: false        # don't enable async stream handling
#   reassembly:
#     memcap: 67108864          # 64mb tcp reassembly memcap
#     depth: 1048576            # 1 MB reassembly depth
stream:
  memcap: 33554432
  reassembly:
    memcap: 67108864
    depth: 1048576

logging:
  default-log-level: info
  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
  #default-output-filter:

  outputs:
  - console:
      enabled: no
  - file:
      enabled: yes
      filename: /var/log/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

ipfw:

  #ipfw-reinjection-rule-number: 5500

default-rule-path: /usr/local/etc/suricata/rules/
rule-files:
# - attack-responses.rules
# - backdoor.rules
# - bad-traffic.rules
# - chat.rules
# - ddos.rules
# - deleted.rules
# - dns.rules
# - dos.rules
# - experimental.rules
# - exploit.rules
# - finger.rules
# - ftp.rules
# - icmp-info.rules
# - icmp.rules
# - imap.rules
# - info.rules
  - local.rules
# - misc.rules
# - multimedia.rules
# - mysql.rules
# - netbios.rules
# - nntp.rules
# - oracle.rules
# - other-ids.rules
# - p2p.rules
# - policy.rules
# - pop2.rules
# - pop3.rules
# - porn.rules
# - rpc.rules
# - rservices.rules
# - scada.rules
# - scan.rules
# - shellcode.rules
# - smtp.rules
# - snmp.rules
# - specific-threats.rules
# - spyware-put.rules
# - sql.rules
# - telnet.rules
# - tftp.rules
# - virus.rules
# - voip.rules
# - web-activex.rules
# - web-attacks.rules
# - web-cgi.rules
# - web-client.rules
# - web-coldfusion.rules
# - web-frontpage.rules
# - web-iis.rules
# - web-misc.rules
# - web-php.rules
# - x11.rules
# - emerging-attack_response.rules
# - emerging-dos.rules
# - emerging-exploit.rules
# - emerging-game.rules
# - emerging-inappropriate.rules
# - emerging-malware.rules
# - emerging-p2p.rules
# - emerging-policy.rules
# - emerging-scan.rules
# - emerging-virus.rules
# - emerging-voip.rules
# - emerging-web.rules
# - emerging-web_client.rules
# - emerging-web_server.rules
# - emerging-web_specific_apps.rules
# - emerging-user_agents.rules
# - emerging-current_events.rules

classification-file: /usr/local/etc/suricata/classification.config

vars:

  address-groups:

    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

    EXTERNAL_NET: any

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: any

  port-groups:

    HTTP_PORTS: "80"

    SHELLCODE_PORTS: "!80"

    ORACLE_PORTS: 1521

    SSH_PORTS: 22

# Host specific policies for defragmentation and TCP stream
# reassembly.  The host OS lookup is done using a radix tree, just
# like a routing table so the most specific entry matches.
host-os-policy:
  # Make the default policy windows.
  windows: [0.0.0.0/0]
  bsd: []
  bsd_right: []
  old_linux: []
  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
  old_solaris: []
  solaris: ["::1"]
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

###########################################################################
# Configure libhtp.
#
#
# default-config:  Used when no server-config matches
#   personality:   List of personalities used by default
#
# server-config:   List of server configurations to use if address matches
#   address:       List of ip addresses or networks for this block
#   personalitiy:  List of personalities used by this block
#
# Currently Available Personalities:
#   Minimal
#   Generic
#   IDS (default)
#   IIS_4_0
#   IIS_5_0
#   IIS_5_1
#   IIS_6_0
#   IIS_7_0
#   IIS_7_5
#   Apache
#   Apache_2_2
###########################################################################
libhtp:

   default-config:
     personality: IDS

   server-config:

     - apache:
         address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
         personality: Apache_2_2

     - iis7:
         address:
           - 192.168.0.0/24
           - 192.168.10.0/24
         personality: IIS_7_0

profiling:

  rules:

    enabled: yes

    # Sort options: ticks, avgticks, checks, matches
    sort: avgticks

    # Limit the number of items printed at exit.
    limit: 100


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100730/50371278/attachment-0002.html>


More information about the Oisf-users mailing list