<div dir="ltr">Hello,<div><br></div><div>Thank you Peter for your answer.</div><div><br></div><div><span style="font-size:12.8px">>judging by the output above - for 19 min you have seen 0 packets on</span><br style="font-size:12.8px"><span style="font-size:12.8px">>that sniffing interface - is that really the case?</span><br></div><div><br></div><div>That's it, this is what I get after running Surricata in my first test.</div><div><br></div><div>However, knowing that there is no http packets that are sent to or received from the embedded Linux running on the board, I added the below rule to /etc/surricata/rules/http.log rules file to catch simple packets sent to the board using a ping:</div><div><br></div><div>alert icmp any any -> 10.8.33.200 any (msg:"ICMP packet detected"; sid:2250010; rev:1;)<br></div><div><br></div><div>After that, I executed a ping command from my host. </div><div><br></div><div><div>$> ping -c3 10.8.33.200</div><div>PING 10.8.33.200 (10.8.33.200) 56(84) bytes of data.</div><div>64 bytes from <a href="http://10.8.33.200">10.8.33.200</a>: icmp_req=1 ttl=64 time=0.233 ms</div><div>64 bytes from <a href="http://10.8.33.200">10.8.33.200</a>: icmp_req=2 ttl=64 time=0.262 ms</div><div>64 bytes from <a href="http://10.8.33.200">10.8.33.200</a>: icmp_req=3 ttl=64 time=0.225 ms</div></div><div><div><br></div><div>--- 10.8.33.200 ping statistics ---</div><div>3 packets transmitted, 3 received, 0% packet loss, time 1998ms</div><div>rtt min/avg/max/mdev = 0.225/0.240/0.262/0.015 ms</div></div><div><br></div><div>Then, I check the /tmp/surricata/fast.log, and I get the following results<br></div><div><br></div><div>/ # tail /tmp/suricata/fast.log<br></div><div><br></div><div><div>01/01/1970-00:09:06.832000 [**] [1:2250010:1] ICMP packet detected [**] [Classification: (null)] [Priority: 3] {ICMP} <a href="http://10.8.33.17:8">10.8.33.17:8</a> -> <a href="http://10.8.33.200:0">10.8.33.200:0</a></div><div>01/01/1970-00:09:11.619000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00</div><div>01/01/1970-00:09:11.619000 [**] [1:2200094:1] SURICATA zero length padN option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000</div><div>01/01/1970-00:09:11.619000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00</div><div>01/01/1970-00:09:11.619000 [**] [1:2200094:1] SURICATA zero length padN option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000</div><div>01/01/1970-00:09:11.620000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00</div><div>01/01/1970-00:09:11.620000 [**] [1:2200094:1] SURICATA zero length padN option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000</div><div>01/01/1970-00:10:39.811000 [**] [1:2250010:1] ICMP packet detected [**] [Classification: (null)] [Priority: 3] {ICMP} <a href="http://10.8.33.17:8">10.8.33.17:8</a> -> <a href="http://10.8.33.200:0">10.8.33.200:0</a></div><div>01/01/1970-00:10:40.811000 [**] [1:2250010:1] ICMP packet detected [**] [Classification: (null)] [Priority: 3] {ICMP} <a href="http://10.8.33.17:8">10.8.33.17:8</a> -> <a href="http://10.8.33.200:0">10.8.33.200:0</a></div><div>01/01/1970-00:10:41.811000 [**] [1:2250010:1] ICMP packet detected [**] [Classification: (null)] [Priority: 3] {ICMP} <a href="http://10.8.33.17:8">10.8.33.17:8</a> -> <a href="http://10.8.33.200:0">10.8.33.200:0</a></div></div><div><br></div><div>As we can see, there is a three packet detected by Surricata.</div><div><br></div><div>Then, after looking at the stats, I get these results:</div><div><br></div><div><div>/ # tail /tmp/suricata/stats.log </div><div><br></div></div><div><div>/ # tail -n 50 /tmp/suricata/stats.log </div><div>decoder.icmpv4 | Total | 27</div><div>decoder.icmpv6 | Total | 440</div><div>decoder.ppp | Total | 0</div><div>decoder.pppoe | Total | 0</div><div>decoder.gre | Total | 0</div><div>decoder.vlan | Total | 0</div><div>decoder.vlan_qinq | Total | 0</div><div>decoder.teredo | Total | 0</div><div>decoder.ipv4_in_ipv6 | Total | 0</div><div>decoder.ipv6_in_ipv6 | Total | 0</div><div>decoder.mpls | Total | 0</div><div>decoder.avg_pkt_size | Total | 142</div><div>decoder.max_pkt_size | Total | 1506</div><div>decoder.erspan | Total | 0</div><div>flow.memcap | Total | 0</div><div>defrag.ipv4.fragments | Total | 0</div><div>defrag.ipv4.reassembled | Total | 0</div><div>defrag.ipv4.timeouts | Total | 0</div><div>defrag.ipv6.fragments | Total | 0</div><div>defrag.ipv6.reassembled | Total | 0</div><div>defrag.ipv6.timeouts | Total | 0</div><div>defrag.max_frag_hits | Total | 0</div><div>tcp.sessions | Total | 0</div><div>tcp.ssn_memcap_drop | Total | 0</div><div>tcp.pseudo | Total | 0</div><div>tcp.pseudo_failed | Total | 0</div><div>tcp.invalid_checksum | Total | 0</div><div>tcp.no_flow | Total | 0</div><div>tcp.syn | Total | 0</div><div>tcp.synack | Total | 0</div><div>tcp.rst | Total | 1</div><div>tcp.segment_memcap_drop | Total | 0</div><div>tcp.stream_depth_reached | Total | 0</div><div>tcp.reassembly_gap | Total | 0</div><div>detect.alert | Total | 109</div><div>flow_mgr.closed_pruned | Total | 0</div><div>flow_mgr.new_pruned | Total | 2682</div><div>flow_mgr.est_pruned | Total | 0</div><div>flow.spare | Total | 10000</div><div>flow.emerg_mode_entered | Total | 0</div><div>flow.emerg_mode_over | Total | 0</div><div>flow.tcp_reuse | Total | 0</div><div>tcp.memuse | Total | 286720</div><div>tcp.reassembly_memuse | Total | 12244864</div><div>dns.memuse | Total | 0</div><div>dns.memcap_state | Total | 0</div><div>dns.memcap_global | Total | 0</div><div>http.memuse | Total | 0</div><div>http.memcap | Total | 0</div><div>flow.memuse | Total | 6416964</div></div><div><br></div><div><br></div><div>Could you please tell me if everything is correct in my test case.</div><div><br></div><div>Thank you very much for your in advance.</div><div><br></div><div>Best regards,</div><div>Mahdi</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 17, 2015 at 11:35 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Nov 10, 2015 at 2:34 PM, Mahdi Aichouch <<a href="mailto:foxmehdi@gmail.com">foxmehdi@gmail.com</a>> wrote:<br>
> Hello,<br>
><br>
</span><div><div class="h5">> First of all, thank you very much for all your answers!<br>
><br>
> It is difficult in my case to compile Suricata directly on the board,<br>
> because I don't have a full fledged Linux distribution such as Debian or<br>
> Ubuntu... installed on my board.<br>
> Instead, I am running a para-virtualized L4Linux kernel with a minimal root<br>
> file system (RAMdisk) built using Buildroot.<br>
><br>
> So, I don't have access to a package manager to download and install all<br>
> libraries that Suricata depends on.<br>
> When I cross-compiled, I manually downloaded and compiled all the binaries<br>
> of the required libraries before building Suricata.<br>
><br>
> After activating the verbose option I was able to see that there was a<br>
> missing file.<br>
> Such as the /usr/share/file/magic.mgc, needed by functions in<br>
> utile-magic.c.<br>
><br>
> Then, after adding all missing configuration files, I was able to<br>
> successfully run Surricata on an ARMv7 board.<br>
><br>
> $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -s<br>
> signatures -v &<br>
><br>
> / # [44] 1/1/1970 -- 00:02:32 - (suricata.c:1073) <Notice> (SCPrintVersion)<br>
> -- This is Suricata version 2.1dev (rev 86711a1)<br>
> [44] 1/1/1970 -- 00:02:32 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) --<br>
> CPUs/cores online: 1<br>
> [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2255) <Info><br>
> (HTPConfigSetDefaultsPhase2) -- 'default' server has<br>
> 'request-body-minimal-inspect-size' set to 33882 and<br>
> 'request-body-inspect-window' set to 4053.<br>
> [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2270) <Info><br>
> (HTPConfigSetDefaultsPhase2) -- 'default' server has<br>
> 'response-body-minimal-inspect-size' set to 33695 and<br>
> 'response-body-inspect-window' set to 42.<br>
> [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:337) <Info><br>
> (DNSUDPConfigure) -- DNS request flood protection level: 500<br>
> [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:349) <Info><br>
> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288<br>
> [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:361) <Info><br>
> (DNSUDPConfigure) -- DNS global memcap: 16777216<br>
> [44] 1/1/1970 -- 00:02:32 - (app-layer-modbus.c:1457) <Info><br>
> (RegisterModbusParsers) -- Modbus request flood protection level: 500<br>
> [44] 1/1/1970 -- 00:02:32 - (util-ioctl.c:100) <Info> (GetIfaceMTU) -- Found<br>
> an MTU of 1500 for 'eth0'<br>
> [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:209) <Info> (DefragInitConfig) --<br>
> allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of<br>
> size 32<br>
> [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:234) <Info> (DefragInitConfig) --<br>
> preallocated 65535 defrag trackers of size 120<br>
> [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:241) <Info> (DefragInitConfig) --<br>
> defrag memory usage: 9961352 bytes, maximum: 33554432<br>
> [44] 1/1/1970 -- 00:02:32 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) --<br>
> AutoFP mode using default "Active Packets" flow load balancer<br>
> [44] 1/1/1970 -- 00:02:32 - (host.c:215) <Info> (HostInitConfig) --<br>
> allocated 262144 bytes of memory for the host hash... 4096 buckets of size<br>
> 64<br>
> [44] 1/1/1970 -- 00:02:32 - (host.c:238) <Info> (HostInitConfig) --<br>
> preallocated 1000 hosts of size 88<br>
> [44] 1/1/1970 -- 00:02:32 - (host.c:240) <Info> (HostInitConfig) -- host<br>
> memory usage: 350144 bytes, maximum: 16777216<br>
> [44] 1/1/1970 -- 00:02:32 - (flow.c:441) <Info> (FlowInitConfig) --<br>
> allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size<br>
> 64<br>
> [44] 1/1/1970 -- 00:02:32 - (flow.c:465) <Info> (FlowInitConfig) --<br>
> preallocated 10000 flows of size 220<br>
> [44] 1/1/1970 -- 00:02:32 - (flow.c:467) <Info> (FlowInitConfig) -- flow<br>
> memory usage: 6394304 bytes, maximum: 67108864<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig)<br>
> -- stream "prealloc-sessions": 2048 (per thread)<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:393) <Info> (StreamTcpInitConfig)<br>
> -- stream "memcap": 33554432<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:399) <Info> (StreamTcpInitConfig)<br>
> -- stream "midstream" session pickups: disabled<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:405) <Info> (StreamTcpInitConfig)<br>
> -- stream "async-oneside": disabled<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:422) <Info> (StreamTcpInitConfig)<br>
> -- stream "checksum-validation": enabled<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:444) <Info> (StreamTcpInitConfig)<br>
> -- stream."inline": disabled<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:457) <Info> (StreamTcpInitConfig)<br>
> -- stream "max-synack-queued": 5<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:475) <Info> (StreamTcpInitConfig)<br>
> -- stream.reassembly "memcap": 134217728<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:493) <Info> (StreamTcpInitConfig)<br>
> -- stream.reassembly "depth": 1048576<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:576) <Info> (StreamTcpInitConfig)<br>
> -- stream.reassembly "toserver-chunk-size": 2549<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:578) <Info> (StreamTcpInitConfig)<br>
> -- stream.reassembly "toclient-chunk-size": 2501<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:591) <Info> (StreamTcpInitConfig)<br>
> -- stream.reassembly.raw: enabled<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info><br>
> (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:487) <Info><br>
> (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250<br>
> [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:500) <Info><br>
> (StreamTcpReassemblyConfig) -- stream.reassembly "zero-copy-size": 128<br>
> [44] 1/1/1970 -- 00:02:32 - (ippair.c:211) <Info> (IPPairInitConfig) --<br>
> allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size<br>
> 64<br>
> [44] 1/1/1970 -- 00:02:32 - (ippair.c:234) <Info> (IPPairInitConfig) --<br>
> preallocated 1000 ippairs of size 96<br>
> [44] 1/1/1970 -- 00:02:32 - (ippair.c:236) <Info> (IPPairInitConfig) --<br>
> ippair memory usage: 358144 bytes, maximum: 16777216<br>
> [44] 1/1/1970 -- 00:02:32 - (util-magic.c:62) <Info> (MagicInit) -- using<br>
> magic-file /usr/share/file/magic<br>
> [44] 1/1/1970 -- 00:02:32 - (suricata.c:1942) <Info> (SetupDelayedDetect) --<br>
> Delayed detect disabled<br>
> [44] 1/1/1970 -- 00:02:32 - (reputation.c:620) <Info> (SRepInit) -- IP<br>
> reputation disabled<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/botcc.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/ciarmy.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/compromised.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/drop.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/dshield.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-activex.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-attack_response.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-chat.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-current_events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-dns.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-dos.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-exploit.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-ftp.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-games.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-icmp_info.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-imap.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-inappropriate.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-malware.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-misc.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-mobile_malware.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-netbios.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-p2p.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-policy.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-pop3.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-rpc.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-scada.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-scan.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-shellcode.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-smtp.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-snmp.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-sql.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-telnet.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-tftp.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-trojan.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-user_agents.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-voip.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-web_client.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-web_server.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-web_specific_apps.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/emerging-worm.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern<br>
> /etc/suricata/rules/tor.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/decoder-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/stream-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/http-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/smtp-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/dns-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/tls-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/modbus-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --<br>
> Loading rule file: /etc/suricata/rules/app-layer-events.rules<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --<br>
> [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern signatures<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:523) <Info> (SigLoadSignatures) -- 50<br>
> rule files processed. 236 rules successfully loaded, 0 rules failed<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:2987) <Info> (SigAddressPrepareStage1)<br>
> -- 236 signatures processed. 0 are IP-only rules, 0 are inspecting packet<br>
> payload, 74 inspect application layer, 99 are decoder y<br>
> [44] 1/1/1970 -- 00:02:32 - (detect.c:2990) <Info> (SigAddressPrepareStage1)<br>
> -- building signature grouping structure, stage 1: preprocessing rules...<br>
> complete<br>
> [44] 1/1/1970 -- 00:02:33 - (detect.c:3623) <Info> (SigAddressPrepareStage2)<br>
> -- building signature grouping structure, stage 2: building source address<br>
> list... complete<br>
> [44] 1/1/1970 -- 00:02:33 - (detect.c:4148) <Info> (SigAddressPrepareStage3)<br>
> -- building signature grouping structure, stage 3: building destination<br>
> address lists... complete<br>
> [44] 1/1/1970 -- 00:02:33 - (util-threshold-config.c:1188) <Info><br>
> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found<br>
> [44] 1/1/1970 -- 00:02:33 - (util-coredump-config.c:122) <Info><br>
> (CoredumpLoadConfig) -- Core dump size set to unlimited.<br>
> [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info><br>
> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log<br>
> [44] 1/1/1970 -- 00:02:33 - (runmodes.c:739) <Warning><br>
> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log<br>
> support not compiled in. Reconfigure/recompile with libjansson and its de.<br>
> [44] 1/1/1970 -- 00:02:33 - (alert-unified2-alert.c:1353) <Info><br>
> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename<br>
> unified2.alert, limit 32 MB<br>
> [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info><br>
> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized:<br>
> http.log<br>
> [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info><br>
> (SCConfLogOpenGeneric) -- stats output device (regular) initialized:<br>
> stats.log<br>
> [44] 1/1/1970 -- 00:02:33 - (util-runmodes.c:189) <Info><br>
> (RunModeSetLiveCaptureAutoFp) -- Using 1 live device(s).<br>
> [45] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info> (PacketPoolInit)<br>
> -- preallocated 1024 packets. Total memory 2887680<br>
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:393) <Info><br>
> (ReceivePcapThreadInit) -- using interface eth0<br>
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:398) <Info><br>
> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of<br>
> interface state will require 1000 packets.<br>
> [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:100) <Info> (GetIfaceMTU) -- Found<br>
> an MTU of 1500 for 'eth0'<br>
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:433) <Info><br>
> (ReceivePcapThreadInit) -- Set snaplen to 1516 for 'eth0'<br>
> device eth0 entered promiscuous mode<br>
> [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:178) <Info> (GetIfaceOffloading)<br>
> -- Generic Receive Offload is set on eth0<br>
> [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:200) <Info> (GetIfaceOffloading)<br>
> -- Large Receive Offload is unset on eth0<br>
> [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:516) <Warning><br>
> (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap<br>
> capture with GRO or LRO activated can lead to capture problems.<br>
> [44] 1/1/1970 -- 00:02:33 - (runmode-pcap.c:293) <Info><br>
> (RunModeIdsPcapAutoFp) -- RunModeIdsPcapAutoFp initialised<br>
> [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:721) <Info><br>
> (FlowManagerThreadSpawn) -- using 1 flow manager threads<br>
> [47] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info> (PacketPoolInit)<br>
> -- preallocated 1024 packets. Total memory 2887680<br>
> [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:881) <Info><br>
> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads<br>
> [44] 1/1/1970 -- 00:02:33 - (tm-threads.c:2001) <Notice><br>
> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management<br>
> threads initialized, engine started.<br>
><br>
> As we can see from the debug messages, there is still one Warning message.<br>
><br>
> Running this command: "/ # tail /var/log/suricata/http.log" gives nothing!<br>
><br>
> Running this command: "/ # tail -n 50 /var/log/suricata/stats.log" gives the<br>
> following logs:<br>
><br>
> defrag.ipv6.fragments | Total | 0<br>
> defrag.ipv6.reassembled | Total | 0<br>
> defrag.ipv6.timeouts | Total | 0<br>
> defrag.max_frag_hits | Total | 0<br>
> tcp.sessions | Total | 0<br>
> tcp.ssn_memcap_drop | Total | 0<br>
> tcp.pseudo | Total | 0<br>
> tcp.pseudo_failed | Total | 0<br>
> tcp.invalid_checksum | Total | 0<br>
> tcp.no_flow | Total | 0<br>
> tcp.syn | Total | 0<br>
> tcp.synack | Total | 0<br>
> tcp.rst | Total | 0<br>
> tcp.segment_memcap_drop | Total | 0<br>
> tcp.stream_depth_reached | Total | 0<br>
> tcp.reassembly_gap | Total | 0<br>
> detect.alert | Total | 0<br>
> flow_mgr.closed_pruned | Total | 0<br>
> flow_mgr.new_pruned | Total | 0<br>
> flow_mgr.est_pruned | Total | 0<br>
> flow.spare | Total | 10000<br>
> flow.emerg_mode_entered | Total | 0<br>
> flow.emerg_mode_over | Total | 0<br>
> flow.tcp_reuse | Total | 0<br>
> tcp.memuse | Total | 286720<br>
> tcp.reassembly_memuse | Total | 12244864<br>
> dns.memuse | Total | 0<br>
> dns.memcap_state | Total | 0<br>
> dns.memcap_global | Total | 0<br>
> http.memuse | Total | 0<br>
> http.memcap | Total | 0<br>
> flow.memuse | Total | 6394304<br>
> -------------------------------------------------------------------<br>
> Date: 11/10/2015 -- 11:35:42 (uptime: 0d, 00h 19m 28s)<br>
> -------------------------------------------------------------------<br>
> Counter | TM Name | Value<br>
> -------------------------------------------------------------------<br>
> capture.kernel_packets | Total | 0<br>
> capture.kernel_drops | Total | 0<br>
<br>
</div></div>judging by the output above - for 19 min you have seen 0 packets on<br>
that sniffing interface - is that really the case?<br>
<div class="HOEnZb"><div class="h5"><br>
> capture.kernel_ifdrops | Total | 0<br>
> decoder.pkts | Total | 0<br>
> decoder.bytes | Total | 0<br>
> decoder.invalid | Total | 0<br>
> decoder.ipv4 | Total | 0<br>
> decoder.ipv6 | Total | 0<br>
> decoder.ethernet | Total | 0<br>
> decoder.raw | Total | 0<br>
> decoder.null | Total | 0<br>
> decoder.sll | Total | 0<br>
><br>
><br>
> Is it possible to tell me if everything is correct?<br>
><br>
> Is there any test case that gives more explicit results?<br>
><br>
> Thank you very much in advance.<br>
><br>
> Best regards,<br>
> Mahdi<br>
><br>
><br>
> On Tue, Nov 10, 2015 at 8:55 AM, Scott Prader <<a href="mailto:rigrunn@gmail.com">rigrunn@gmail.com</a>> wrote:<br>
>><br>
>> I have compiled suricata on an armv6h, but did not cross-compile it. I<br>
>> compiled it natively and it worked fine. It took some time, so I found<br>
>> something else to do while it compiled.<br>
>><br>
>> On Nov 10, 2015 1:47 AM, "Victor Julien" <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>
>>><br>
>>> On 10-11-15 08:46, Anoop Saldanha wrote:<br>
>>>><br>
>>>> On Tue, Nov 10, 2015 at 12:59 PM, Anoop Saldanha<br>
>>>> <<a href="mailto:anoopsaldanha@gmail.com">anoopsaldanha@gmail.com</a>> wrote:<br>
>>>>><br>
>>>>> On Mon, Nov 9, 2015 at 11:06 PM, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>><br>
>>>>> wrote:<br>
>>>>>><br>
>>>>>> On Mon, Nov 9, 2015 at 3:00 PM, Mahdi Aichouch <<a href="mailto:foxmehdi@gmail.com">foxmehdi@gmail.com</a>><br>
>>>>>> wrote:<br>
>>>>>>><br>
>>>>>>> Hello,<br>
>>>>>>><br>
>>>>>>> I am trying to run Suricata on an ARMv7 architecture based board.<br>
>>>>>>><br>
>>>>>>> After, I had successfully cross-compiled Suricata for my target, I<br>
>>>>>>> tried to<br>
>>>>>>> run Suricata on the board but I got an Aborted fault.<br>
>>>>>>><br>
>>>>>>> Below is the command that I used in my test:<br>
>>>>>>><br>
>>>>>>> $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i<br>
>>>>>>> eth0<br>
>>>>>>> --init-errors-fatal<br>
>>>>>><br>
>>>>>><br>
>>>>>> Can you try adding the "-v" switch for more verbose output -<br>
>>>>>> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0<br>
>>>>>> --init-errors-fatal -v<br>
>>>>>><br>
>>>>>>><br>
>>>>>>> [35] 1/1/1970 -- 00:02:03 - (suricata.c:1073) <Notice><br>
>>>>>>> (SCPrintVersion) --<br>
>>>>>>> This is Suricata version 2.1dev (rev 86711a1)<br>
>>>>>>> Aborted.<br>
>>>>>>><br>
>>>>>>> No further message are printed on the terminal.<br>
>>>>>>><br>
>>>>>>> Could someone help me in figuring out what causes this issue.<br>
>>>>><br>
>>>>><br>
>>>>> Trouble with some instructions generated for your architecture most<br>
>>>>> likely. I would first try and make sure that I have cross compiled<br>
>>>>> directly, and then zero in on the instructions generated by the<br>
>>>>> compiler and make sure it is present ARMv7's ISA.<br>
>>>>><br>
>>>><br>
>>>> My previous reply - s/cross compiled directly/cross compiled correctly/g<br>
>>>><br>
>>>> As a later step on figuring out the instructions, you can look at the<br>
>>>> kernel/system logs to figure out the instructions that caused the<br>
>>>> error.<br>
>>>><br>
>>><br>
>>> Don't forget passing --disable-gccmarch-native to configure before<br>
>>> compiling.<br>
>>><br>
>>> --<br>
>>> ---------------------------------------------<br>
>>> Victor Julien<br>
>>> <a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
>>> ---------------------------------------------<br>
>>><br>
>>> _______________________________________________<br>
>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> Suricata User Conference November 4 & 5 in Barcelona:<br>
>>> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> Suricata User Conference November 4 & 5 in Barcelona:<br>
>> <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div>