<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, May 1, 2014 at 3:22 PM, (OISF) Martijn Schoemaker <span dir="ltr"><<a href="mailto:oisf@ficture.nl" target="_blank">oisf@ficture.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Some additional info:<br>
<br>
Working 1.4.7 release:<br>
------------------------------<u></u>--<br>
# suricata-1.4.7/src/suricata --build-info<br>
This is Suricata version 1.4.7 RELEASE<br>
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_<u></u>HEADERS_RAW<br>
64-bits, Little-endian architecture<br>
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901<br>
__GCC_HAVE_SYNC_COMPARE_AND_<u></u>SWAP_1<br>
__GCC_HAVE_SYNC_COMPARE_AND_<u></u>SWAP_2<br>
__GCC_HAVE_SYNC_COMPARE_AND_<u></u>SWAP_4<br>
__GCC_HAVE_SYNC_COMPARE_AND_<u></u>SWAP_8<br>
__GCC_HAVE_SYNC_COMPARE_AND_<u></u>SWAP_16<br>
compiled with libhtp 0.2.14, linked against 0.2.14<br>
Suricata Configuration:<br>
AF_PACKET support: yes<br>
PF_RING support: no<br>
NFQueue support: no<br>
IPFW support: no<br>
DAG enabled: no<br>
Napatech enabled: no<br>
Unix socket enabled: no<br>
<br>
libnss support: no<br>
libnspr support: no<br>
libjansson support: no<br>
Prelude support: no<br>
PCRE jit: no<br>
libluajit: no<br>
libgeoip: no<br>
Non-bundled htp: no<br>
Old barnyard2 support: no<br>
CUDA enabled: no<br>
<br>
Suricatasc install: yes<br>
<br>
Unit tests enabled: no<br>
Debug output enabled: no<br>
Debug validation enabled: no<br>
Profiling enabled: no<br>
Profiling locks enabled: no<br>
<br>
Generic build parameters:<br>
Installation prefix (--prefix): /usr<br>
Configuration directory (--sysconfdir): /etc/suricata/<br>
Log directory (--localstatedir) : /var/log/suricata/<br>
<br>
Host: x86_64-unknown-linux-gnu<br>
GCC binary: gcc<br>
GCC Protect enabled: no<br>
GCC march native enabled: yes<br>
GCC Profile enabled: no<br>
<br>
Git release (not working):<br>
------------------------------<u></u>-------<br>
# suricata-git/oisf/src/suricata --build-info<br>
This is Suricata version 2.0dev (rev 6fbb955)<br>
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK<br>
SIMD support: SSE_3<br>
Atomic intrisics: 1 2 4 8 16 byte(s)<br>
64-bits, Little-endian architecture<br>
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901<br>
L1 cache line size (CLS)=64<br>
compiled with LibHTP v0.5.11, linked against LibHTP v0.5.11<br>
Suricata Configuration:<br>
AF_PACKET support: yes<br>
PF_RING support: no<br>
NFQueue support: no<br>
IPFW support: no<br>
DAG enabled: no<br>
Napatech enabled: no<br>
Unix socket enabled: no<br>
Detection enabled: yes<br>
<br>
libnss support: no<br>
libnspr support: no<br>
libjansson support: no<br>
Prelude support: no<br>
PCRE jit: no<br>
libluajit: no<br>
libgeoip: no<br>
Non-bundled htp: no<br>
Old barnyard2 support: no<br>
CUDA enabled: no<br>
<br>
Suricatasc install: yes<br>
<br>
Unit tests enabled: no<br>
Debug output enabled: no<br>
Debug validation enabled: no<br>
Profiling enabled: no<br>
Profiling locks enabled: no<br>
Coccinelle / spatch: no<br>
<br>
Generic build parameters:<br>
Installation prefix (--prefix): /usr<br>
Configuration directory (--sysconfdir): /etc/suricata/<br>
Log directory (--localstatedir) : /var/log/suricata/<br>
<br>
Host: x86_64-unknown-linux-gnu<br>
GCC binary: gcc<br>
GCC Protect enabled: no<br>
GCC march native enabled: yes<br>
GCC Profile enabled: no<br>
<br>
2.0 release (also not working):<br>
------------------------------<u></u>-------------<br>
# suricata-2.0/src/suricata --build-info<br>
This is Suricata version 2.0 RELEASE<br>
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON<br>
SIMD support: SSE_3<br>
Atomic intrisics: 1 2 4 8 16 byte(s)<br>
64-bits, Little-endian architecture<br>
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901<br>
L1 cache line size (CLS)=64<br>
compiled with LibHTP v0.5.10, linked against LibHTP v0.5.10<br>
Suricata Configuration:<br>
AF_PACKET support: yes<br>
PF_RING support: no<br>
NFQueue support: no<br>
IPFW support: no<br>
DAG enabled: no<br>
Napatech enabled: no<br>
Unix socket enabled: yes<br>
Detection enabled: yes<br>
<br>
libnss support: yes<br>
libnspr support: yes<br>
libjansson support: yes<br>
Prelude support: no<br>
PCRE jit: no<br>
libluajit: no<br>
libgeoip: no<br>
Non-bundled htp: no<br>
Old barnyard2 support: no<br>
CUDA enabled: no<br>
<br>
Suricatasc install: yes<br>
<br>
Unit tests enabled: no<br>
Debug output enabled: no<br>
Debug validation enabled: no<br>
Profiling enabled: no<br>
Profiling locks enabled: no<br>
Coccinelle / spatch: yes<br>
<br>
Generic build parameters:<br>
Installation prefix (--prefix): /usr<br>
Configuration directory (--sysconfdir): /etc/suricata/<br>
Log directory (--localstatedir) : /var/log/suricata/<br>
<br>
Host: x86_64-unknown-linux-gnu<br>
GCC binary: gcc<br>
GCC Protect enabled: no<br>
GCC march native enabled: yes<br>
GCC Profile enabled: no<div class=""><div class="h5"><br>
<br>
On 05/01/2014 03:16 PM, (OISF) Martijn Schoemaker wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi,<br>
<br>
I have been running suricata 1.4.7 for quite some time and it's working like a charm. When I saw that suricata 2.0 supports the eve-json log format for integration with logstash I wanted to upgrade to 2.0.<br>
<br>
I downloaded the stable 2.0 release, built it and all seemed to run fine. However, I notices the http.log was no longer modified. Further investigation showed that all http event matching, http logging (http-log and eve http log) was no longer working. I started out with the exact same config as the working 1.4.7 release, then modified the 2.0 config accordingly but it just won't work.<br>
<br>
I also noticed it now includes libhtp 0.5.10 instead of 0.2 so I tried to build against 0.2 but that's not supported. I also built the git current release (libhtp 0.5.11), but still no go. Strange thing is that http events are also no longer matched. I run on a machine which is connected to a monitor port so it cannot be checksum offloading (I also manually disabled it on the interface and disabled checksum checking in the suricata config, but all to no avail).<br>
<br>
Whenever I revert to the 1.4.7 release everything works again.<br>
<br>
So I have a big suspicion that either I'm doing something terribly wrong, or the libhtp 0.5 release is not working correctly anymore.<br>
<br>
Is there anyone who observed the same issue ?<br>
<br>
Regards,<br>
Martijn Schoemaker<br>
<br>
______________________________<u></u>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<u></u>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<u></u>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<u></u>openinfosecfoundation.org/<u></u>mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.<u></u>openinfosecfoundation.org/</a><br>
<br>
</blockquote>
______________________________<u></u>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<u></u>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<u></u>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<u></u>openinfosecfoundation.org/<u></u>mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.<u></u>openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br><br></div><div class="gmail_extra">Hi,<br><br></div><div class="gmail_extra">I think there is some sort of a (miss)configuration issue. For the JSON output to work you need libjansson4 and libjansson-dev present on the system.<br>
When you do (suricata --build-info) you should see -> " libjansson support: yes"<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">What I would suggest -<br><br>1)<br>
Install 2.0 an a "new/clean" machine (virt if you want), and verify that everything is working. If this is the case - then there is some mixup on your current installation.<br><br>2)<br></div><div class="gmail_extra">
Suricata.yaml and yaml in general is very peculiar about spaces/tabs being at the right place and such. Please make sure some miss editing is not the issue. (try loading the default provided suricata.yaml from source)<br>
</div><div class="gmail_extra"><br>3)<br></div><div class="gmail_extra">Can you copy paste your suricata.log on pastebin and share it?<br><br>4)<br></div><div class="gmail_extra">Can you provide the output of <br>ldd /path/to/suricata_executable<br>
</div><div class="gmail_extra">(example - ldd /usr/local/bin/suricata)<br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks<br></div><div class="gmail_extra"><br clear="all">
<br>-- <br><div>Regards,</div>
<div>Peter Manev</div>
</div></div>