<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px"><div style="" class=""><span style="" class="">Hi,</span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br style="" class=""><span style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span style="" class="">I blew away my suricata config, copied and reconfigured the default config from the source.</span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color:
 transparent; font-style: normal;"><br></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">I had followed one post that told me to add the rules to the suricata.yaml file which caused no end of grief.<br></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br style="" class=""><span style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span style="" class="">I now get these warnings:</span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica
 Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br style="" class=""><span style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span style="" class="">20/9/2014 -- 08:04:21 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.<br style="" class="">20/9/2014 -- 08:04:21 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.<br style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color:
 transparent; font-style: normal;"><br><span style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span style="" class="">I could not find any instructions on compiling in eve-log support to suricata.  Any hints would be great!</span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span style="" class="">What do I do about the PCAP error?  is there another way to capture?</span></div><div
 class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span style="" class="">Thanx,</span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span style="" class=""></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 12px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span style="" class="">John<br style="" class=""></span></div>
 <div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div class="" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12px;"> <div class="" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div style="" class="" dir="ltr"> <font style="" class="" face="Arial" size="2"> On Friday, September 19, 2014 10:56 PM, John Powell <xq1xq1xq1@yahoo.com> wrote:<br style="" class=""> </font> </div>  <br style="" class=""><br style="" class=""> <div style="" class=""><div style="" class="" id="yiv0864085685"><div style="" class=""><div class="" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px;"><div style="" class="">Hi,</div><div style="" class=""><br style="" class=""></div><div class="" style="color:rgb(0, 0,
 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">I followed these links to install Suricata and OinkMaster on CentOS 6.5:</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">http://pseudodeterminism.blogspot.ca/2013/11/suricata-on-centos-6.html<br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br style="" class=""></div><div
 class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">The install appears to have went well but when I launch Suricata I get the following errors ad nausem:</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande,
 sans-serif;background-color:transparent;font-style:normal;"><br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">suricata -c /etc/suricata/suricata.yaml -i eth0</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;"><br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">19/9/2014 -- 22:42:06 - <Notice> - This is Suricata version 2.0.3 RELEASE<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)]
 - No rules loaded from /etc/suricata/rules/botcc.rules<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/BSD-License.txt<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/ciarmy.rules<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/classification.config<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules
 loaded from /etc/suricata/rules/compromised-ips.txt<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/compromised.rules<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/decoder-events.rules<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/drop.rules<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/dshield.rules<br style="" class="">19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-activex.rules<br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
 Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">.</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">.</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">.<br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/dns-events.rules: No such file or
 directory.<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [103.13.232.232,103.228.81.118,106.186.115.99,106.187.42.91,106.187.48.236,106.187.99.92,107.150.14.190,107.161.19.71,107.161.23.66,107.170.156.130,107.170.190.209,107.170.20.26,107.170.210.12] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:3584;)"<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any ->
 [103.13.232.232,103.228.81.118,106.186.115.99,106.187.42.91,106.187.48.236,106.187.99.92,107.150.14.190,107.161.19.71,107.161.23.66,107.170.156.130,107.170.190.209,107.170.20.26,107.170.210.12] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 43<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [107.170.20.26,107.170.210.12,107.20.73.183,107.6.89.242,108.170.56.211,108.61.240.240,109.109.228.187,109.111.79.4,109.196.130.50,109.234.106.53,109.235.253.194,109.235.253.241,109.235.51.206,109.74.194.110] any (msg:"ET CNC Shadowserver Reported CnC
 Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:3584;)"<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [107.170.20.26,107.170.210.12,107.20.73.183,107.6.89.242,108.170.56.211,108.61.240.240,109.109.228.187,109.111.79.4,109.196.130.50,109.234.106.53,109.235.253.194,109.235.253.241,109.235.51.206,109.74.194.110] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:3584;)" from file
 /etc/suricata/rules/botcc.rules at line 44<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [109.235.51.206,109.74.194.110,118.219.232.134,124.0.206.2,128.194.112.48,128.39.65.226,130.185.104.60,130.237.188.216,130.239.18.157,130.240.22.202,137.117.201.143,139.0.4.98,140.211.166.64,142.4.222.129] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:3584;)"<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any ->
 [109.235.51.206,109.74.194.110,118.219.232.134,124.0.206.2,128.194.112.48,128.39.65.226,130.185.104.60,130.237.188.216,130.239.18.157,130.240.22.202,137.117.201.143,139.0.4.98,140.211.166.64,142.4.222.129] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 45<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [140.211.166.64,142.4.222.129,144.76.100.56,144.76.71.210,145.89.150.59,148.251.129.163,148.251.84.209,148.81.111.111,149.156.124.222,149.210.154.149,149.255.109.200,149.47.133.128,150.254.110.15,151.13.184.200] any (msg:"ET CNC Shadowserver
 Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003; rev:3584;)"<br style="" class="">19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [140.211.166.64,142.4.222.129,144.76.100.56,144.76.71.210,145.89.150.59,148.251.129.163,148.251.84.209,148.81.111.111,149.156.124.222,149.210.154.149,149.255.109.200,149.47.133.128,150.254.110.15,151.13.184.200] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003;
 rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 46</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">.</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">.</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;margin-left:40px;">.</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br style="" class=""></div><div class="" style="color:rgb(0,
 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">With the sheer mass of logs I am kind of overwhelmed.</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br style="" class=""></div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">Any guidance to narrow down the problem would be greatly appreciated!</div><div class="" style="color:rgb(0, 0, 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br style="" class=""></div><div class="" style="color:rgb(0, 0,
 0);font-size:12px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;">-John<br style="" class=""></div></div></div></div><br style="" class=""><br style="" class=""></div>  </div> </div>  </div> </div></body></html>