Hi Jutaro,<br><br>I would suggest:<br>first update your suricata.yaml to the newest one distributed.<br>second if you use <br>alert http any any -> any any (msg:"alert on all http"; sid:1111111111;)<br>would you see alerts in the fast.log ?<br>
<br><br>Then <br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">25/1/2013 -- 12:11:26 - <Info> - Using 1 live device(s).<br>
25/1/2013 -- 12:11:26 - <Info> - Unable to find pcap config for interface venet0, using default value<br>
25/1/2013 -- 12:11:26 - <Info> - using interface venet0<br></blockquote><br>what is the config lines :<br><br><table class="filecontent syntaxhl"><tbody><tr><td class="line-code"><pre>pcap:
</pre>
</td>
</tr>
<tr>
<td class="line-code">
<pre> - interface: eth0
</pre>
</td>
</tr>
<tr>
<td class="line-code">
<pre> #buffer-size: 32768
</pre></td></tr></tbody></table><br>saying in your yaml config ?<br><br>thank you<br><br><br><div class="gmail_quote">On Fri, Jan 25, 2013 at 4:33 AM, Jutaro Kajita <span dir="ltr"><<a href="mailto:j.kajita@espeid.jp" target="_blank">j.kajita@espeid.jp</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, to all.<br>
<br>
I recently build Suricata 1.4 from source using CentOS5.9.<br>
and as in the tutorial, Adding Your Rules, I added local.rules<br>
but after several opening pages in the server still fast.log contains<br>
zero line.<br>
<br>
here are parts of my .yaml file I assume related to the issue.<br>
<br>
- fast:<br>
enabled: yes<br>
filename: fast.log<br>
append: yes<br>
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'<br>
<br>
# alert output for use with Barnyard2<br>
- unified2-alert:<br>
enabled: no<br>
filename: unified2.alert<br>
<br>
# File size limit. Can be specified in kb, mb, gb. Just a number<br>
# is parsed as bytes.<br>
#limit: 32mb<br>
<br>
# a line based log of HTTP requests (no alerts)<br>
- http-log:<br>
enabled: yes<br>
filename: http.log<br>
append: yes<br>
#extended: yes # enable this for extended logging information<br>
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'<br>
#######################################################<br>
<br>
and here's the output in the Suricata initiation<br>
<br>
25/1/2013 -- 12:11:20 - <Info> - CPUs/cores online: 1<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - max_files is deprecated. Please use max-files on line 108.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - use_stream_depth is deprecated. Please use use-stream-depth on line 113.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - log_packet_content is deprecated. Please use log-packet-content on line 128.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - log_packet_header is deprecated. Please use log-packet-header on line 129.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_src_groups is deprecated. Please use toclient-src-groups on line 278.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_dst_groups is deprecated. Please use toclient-dst-groups on line 279.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_sp_groups is deprecated. Please use toclient-sp-groups on line 280.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_dp_groups is deprecated. Please use toclient-dp-groups on line 281.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toserver_src_groups is deprecated. Please use toserver-src-groups on line 282.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toserver_dst_groups is deprecated. Please use toserver-dst-groups on line 283.<br>
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - not showing more parameter name warnings.<br>
25/1/2013 -- 12:11:20 - <Info> - Found an MTU of 1500 for 'venet0'<br>
25/1/2013 -- 12:11:20 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56<br>
25/1/2013 -- 12:11:20 - <Info> - preallocated 1000 defrag trackers of size 152<br>
25/1/2013 -- 12:11:20 - <Info> - defrag memory usage: 381376 bytes, maximum: 16777216<br>
25/1/2013 -- 12:11:20 - <Info> - AutoFP mode using default "Active Packets" flow load balancer<br>
25/1/2013 -- 12:11:20 - <Info> - preallocated 5000 packets. Total memory 21300000<br>
25/1/2013 -- 12:11:20 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56<br>
25/1/2013 -- 12:11:20 - <Info> - preallocated 1000 hosts of size 128<br>
25/1/2013 -- 12:11:20 - <Info> - host memory usage: 357376 bytes, maximum: 16777216<br>
25/1/2013 -- 12:11:20 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56<br>
25/1/2013 -- 12:11:20 - <Info> - preallocated 10000 flows of size 280<br>
25/1/2013 -- 12:11:20 - <Info> - flow memory usage: 6470016 bytes, maximum: 33554432<br>
25/1/2013 -- 12:11:20 - <Info> - IP reputation disabled<br>
25/1/2013 -- 12:11:20 - <Info> - Delayed detect disabled<br>
25/1/2013 -- 12:11:22 - <Info> - 36 rule files processed. 6224 rules successfully loaded, 0 rules failed<br>
25/1/2013 -- 12:11:24 - <Info> - 6232 signatures processed. 226 are IP-only rules, 2933 are inspecting packet payload, 3991 inspect application layer, 0 are decoder event only<br>
25/1/2013 -- 12:11:24 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete<br>
25/1/2013 -- 12:11:24 - <Info> - building signature grouping structure, stage 2: building source address list... complete<br>
25/1/2013 -- 12:11:25 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete<br>
25/1/2013 -- 12:11:26 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": No such file or directory<br>
25/1/2013 -- 12:11:26 - <Info> - Core dump size set to unlimited.<br>
25/1/2013 -- 12:11:26 - <Info> - fast output device (regular) initialized: fast.log<br>
25/1/2013 -- 12:11:26 - <Info> - http-log output device (regular) initialized: http.log<br>
25/1/2013 -- 12:11:26 - <Info> - Using 1 live device(s).<br>
25/1/2013 -- 12:11:26 - <Info> - Unable to find pcap config for interface venet0, using default value<br>
25/1/2013 -- 12:11:26 - <Info> - using interface venet0<br>
25/1/2013 -- 12:11:26 - <Info> - RunModeIdsPcapAutoFp initialised<br>
25/1/2013 -- 12:11:26 - <Info> - stream "max-sessions": 262144<br>
25/1/2013 -- 12:11:26 - <Info> - stream "prealloc-sessions": 32768<br>
25/1/2013 -- 12:11:26 - <Info> - stream "memcap": 33554432<br>
25/1/2013 -- 12:11:26 - <Info> - stream "midstream" session pickups: disabled<br>
25/1/2013 -- 12:11:26 - <Info> - stream "async-oneside": disabled<br>
25/1/2013 -- 12:11:26 - <Info> - stream "checksum-validation": enabled<br>
25/1/2013 -- 12:11:26 - <Info> - stream."inline": disabled<br>
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "memcap": 67108864<br>
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "depth": 1048576<br>
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "toserver-chunk-size": 2560<br>
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "toclient-chunk-size": 2560<br>
25/1/2013 -- 12:11:26 - <Info> - all 2 packet processing threads, 1 management threads initialized, engine started.<br>
<br>
<br>
#########################################<br>
while fast.log is empty, http.log is working well with outputting proper logs.<br>
So, I assume there would be no issue in file privileges.<br>
<br>
any help appreciated.<br>
thanks in advance.<br>
Jutaro<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div>