<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hi everyone,</div>
<div> </div>
<div>I am trying to configure Suricata 4.0.3 with Netmap - IPS mode:</div>
<div> </div>
<div>Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux</div>
<div> </div>
<div>eth1 :<br/>
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 01)</div>
<div>eth0: for management</div>
<div> </div>
<div>ethtool --show-ntuple eth1 <br/>
1 RX rings available<br/>
Total 0 rules</div>
<div> </div>
<div>netmap:<br/>
- interface: default<br/>
threads: auto<br/>
copy-mode: ips<br/>
disable-promisc: no<br/>
checksum-checks: auto<br/>
- interface: eth1<br/>
copy-iface: eth1+</div>
<div> </div>
<div>On the same machine, I activated:</div>
<div>net.ipv4.ip_forward = 1</div>
<div> </div>
<div>I want to suricata to perform a first filter and return traffic to the kernel to process it with iptables</div>
<div><br/>
However all packages are dropped when sent to the kernel</div>
<div> </div>
<div>I made a first test with rule: DROP icmp any any -> any any</div>
<div><br/>
The same test without rule without success.</div>
<div>----------<br/>
cat /var/log/suricata/drop.log </div>
<div><br/>
02/15/2018-10:19:31.182372: IN= OUT= SRC=8.8.8.8 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=35972 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=14435<br/>
02/15/2018-10:19:31.680043: IN= OUT= SRC=9.9.9.9 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=57830 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=14691<br/>
02/15/2018-10:19:36.182297: IN= OUT= SRC=8.8.8.8 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=38420 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=14947<br/>
02/15/2018-10:19:36.687863: IN= OUT= SRC=9.9.9.9 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=61465 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=15203<br/>
02/15/2018-10:19:41.190151: IN= OUT= SRC=8.8.8.8 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=40966 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=15459<br/>
02/15/2018-10:19:41.679798: IN= OUT= SRC=9.9.9.9 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=62929 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=15715<br/>
02/15/2018-10:19:46.182077: IN= OUT= SRC=8.8.8.8 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=43949 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=15971<br/>
02/15/2018-10:19:46.679455: IN= OUT= SRC=9.9.9.9 DST=85.XXX.XXX.XXX LEN=60 TOS=0x00 TTL=62 ID=64473 PROTO=ICMP TYPE=0 CODE=0 ID=2304 SEQ=16227<br/>
----------<br/>
cat /var/log/suricata/fast.log <br/>
02/15/2018-10:19:31.182372 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 8.8.8.8:0 -> 85.XXX.XXX.XXX:0<br/>
02/15/2018-10:19:31.680043 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 9.9.9.9:0 -> 85.XXX.XXX.XXX:0<br/>
02/15/2018-10:19:36.182297 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 8.8.8.8:0 -> 85.XXX.XXX.XXX:0<br/>
02/15/2018-10:19:36.687863 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 9.9.9.9:0 -> 85.XXX.XXX.XXX:0<br/>
02/15/2018-10:19:41.190151 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 8.8.8.8:0 -> 85.XXX.XXX.XXX:0<br/>
02/15/2018-10:19:41.679798 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 9.9.9.9:0 -> 85.XXX.XXX.XXX:0<br/>
02/15/2018-10:19:46.182077 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 8.8.8.8:0 -> 85.XXX.XXX.XXX:0<br/>
02/15/2018-10:19:46.679455 [Drop] [**] [1:0:0] (null) [**] [Classification: (null)] [Priority: 3] {ICMP} 9.9.9.9:0 -> 85.XXX.XXX.XXX:0<br/>
----------<br/>
cat /var/log/suricata/stats.log <br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:18:54 (uptime: 0d, 00h 00m 08s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 2<br/>
decoder.pkts | Total | 2<br/>
decoder.bytes | Total | 148<br/>
decoder.ipv4 | Total | 2<br/>
decoder.ethernet | Total | 2<br/>
decoder.icmpv4 | Total | 2<br/>
decoder.avg_pkt_size | Total | 74<br/>
decoder.max_pkt_size | Total | 74<br/>
detect.alert | Total | 2<br/>
flow.spare | Total | 10000<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65536<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7074592<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:01 (uptime: 0d, 00h 00m 15s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 12<br/>
capture.kernel_drops | Total | 6<br/>
decoder.pkts | Total | 12<br/>
decoder.bytes | Total | 1223<br/>
decoder.ipv4 | Total | 11<br/>
decoder.ipv6 | Total | 1<br/>
decoder.ethernet | Total | 12<br/>
decoder.tcp | Total | 6<br/>
decoder.icmpv4 | Total | 5<br/>
decoder.icmpv6 | Total | 1<br/>
decoder.avg_pkt_size | Total | 101<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 1<br/>
flow.icmpv6 | Total | 1<br/>
detect.alert | Total | 6<br/>
flow.spare | Total | 10000<br/>
flow_mgr.flows_checked | Total | 1<br/>
flow_mgr.flows_notimeout | Total | 1<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65535<br/>
flow_mgr.rows_maxlen | Total | 1<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7074880<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:08 (uptime: 0d, 00h 00m 22s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 25<br/>
capture.kernel_drops | Total | 15<br/>
decoder.pkts | Total | 25<br/>
decoder.bytes | Total | 2559<br/>
decoder.ipv4 | Total | 23<br/>
decoder.ipv6 | Total | 1<br/>
decoder.ethernet | Total | 25<br/>
decoder.tcp | Total | 14<br/>
decoder.icmpv4 | Total | 9<br/>
decoder.icmpv6 | Total | 1<br/>
decoder.avg_pkt_size | Total | 102<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 1<br/>
flow.icmpv6 | Total | 1<br/>
detect.alert | Total | 10<br/>
flow.spare | Total | 10000<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65536<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7074880<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:15 (uptime: 0d, 00h 00m 29s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 31<br/>
capture.kernel_drops | Total | 16<br/>
decoder.pkts | Total | 31<br/>
decoder.bytes | Total | 3127<br/>
decoder.ipv4 | Total | 26<br/>
decoder.ipv6 | Total | 4<br/>
decoder.ethernet | Total | 31<br/>
decoder.tcp | Total | 15<br/>
decoder.icmpv4 | Total | 11<br/>
decoder.icmpv6 | Total | 4<br/>
decoder.avg_pkt_size | Total | 100<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 1<br/>
flow.icmpv6 | Total | 4<br/>
detect.alert | Total | 15<br/>
flow.spare | Total | 10000<br/>
flow_mgr.flows_checked | Total | 1<br/>
flow_mgr.flows_notimeout | Total | 1<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65535<br/>
flow_mgr.rows_maxlen | Total | 1<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7075456<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:22 (uptime: 0d, 00h 00m 36s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 38<br/>
capture.kernel_drops | Total | 16<br/>
decoder.pkts | Total | 38<br/>
decoder.bytes | Total | 3763<br/>
decoder.ipv4 | Total | 30<br/>
decoder.ipv6 | Total | 7<br/>
decoder.ethernet | Total | 38<br/>
decoder.tcp | Total | 16<br/>
decoder.icmpv4 | Total | 14<br/>
decoder.icmpv6 | Total | 7<br/>
decoder.avg_pkt_size | Total | 99<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 1<br/>
flow.icmpv6 | Total | 7<br/>
tcp.rst | Total | 1<br/>
detect.alert | Total | 21<br/>
flow.spare | Total | 10000<br/>
flow_mgr.flows_checked | Total | 1<br/>
flow_mgr.flows_notimeout | Total | 1<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65535<br/>
flow_mgr.rows_maxlen | Total | 1<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7076608<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:29 (uptime: 0d, 00h 00m 43s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 41<br/>
capture.kernel_drops | Total | 17<br/>
decoder.pkts | Total | 41<br/>
decoder.bytes | Total | 3971<br/>
decoder.ipv4 | Total | 33<br/>
decoder.ipv6 | Total | 7<br/>
decoder.ethernet | Total | 41<br/>
decoder.tcp | Total | 17<br/>
decoder.icmpv4 | Total | 16<br/>
decoder.icmpv6 | Total | 7<br/>
decoder.avg_pkt_size | Total | 96<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 2<br/>
flow.icmpv6 | Total | 7<br/>
tcp.sessions | Total | 1<br/>
tcp.syn | Total | 1<br/>
tcp.rst | Total | 1<br/>
detect.alert | Total | 23<br/>
flow_mgr.new_pruned | Total | 1<br/>
flow.spare | Total | 10000<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65536<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7076608<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:36 (uptime: 0d, 00h 00m 50s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 50<br/>
capture.kernel_drops | Total | 23<br/>
decoder.pkts | Total | 50<br/>
decoder.bytes | Total | 4565<br/>
decoder.ipv4 | Total | 40<br/>
decoder.ipv6 | Total | 7<br/>
decoder.ethernet | Total | 50<br/>
decoder.tcp | Total | 21<br/>
decoder.icmpv4 | Total | 19<br/>
decoder.icmpv6 | Total | 7<br/>
decoder.avg_pkt_size | Total | 91<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 5<br/>
flow.icmpv6 | Total | 7<br/>
tcp.sessions | Total | 3<br/>
tcp.syn | Total | 3<br/>
tcp.synack | Total | 2<br/>
tcp.rst | Total | 1<br/>
detect.alert | Total | 28<br/>
flow_mgr.new_pruned | Total | 1<br/>
flow.spare | Total | 10000<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65536<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7077472<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:43 (uptime: 0d, 00h 00m 57s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 70<br/>
capture.kernel_drops | Total | 40<br/>
decoder.pkts | Total | 70<br/>
decoder.bytes | Total | 5893<br/>
decoder.ipv4 | Total | 60<br/>
decoder.ipv6 | Total | 7<br/>
decoder.ethernet | Total | 70<br/>
decoder.tcp | Total | 38<br/>
decoder.icmpv4 | Total | 22<br/>
decoder.icmpv6 | Total | 7<br/>
decoder.avg_pkt_size | Total | 84<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 12<br/>
flow.icmpv6 | Total | 7<br/>
tcp.sessions | Total | 3<br/>
tcp.syn | Total | 3<br/>
tcp.synack | Total | 19<br/>
tcp.rst | Total | 1<br/>
detect.alert | Total | 31<br/>
flow_mgr.new_pruned | Total | 1<br/>
flow.spare | Total | 10000<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65536<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7079488<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:50 (uptime: 0d, 00h 01m 04s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 89<br/>
capture.kernel_drops | Total | 56<br/>
decoder.pkts | Total | 89<br/>
decoder.bytes | Total | 7159<br/>
decoder.ipv4 | Total | 79<br/>
decoder.ipv6 | Total | 7<br/>
decoder.ethernet | Total | 89<br/>
decoder.tcp | Total | 54<br/>
decoder.icmpv4 | Total | 25<br/>
decoder.icmpv6 | Total | 7<br/>
decoder.avg_pkt_size | Total | 80<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 12<br/>
flow.icmpv6 | Total | 7<br/>
tcp.sessions | Total | 3<br/>
tcp.syn | Total | 3<br/>
tcp.synack | Total | 35<br/>
tcp.rst | Total | 1<br/>
detect.alert | Total | 34<br/>
flow_mgr.new_pruned | Total | 6<br/>
flow.spare | Total | 10000<br/>
flow_mgr.flows_checked | Total | 1<br/>
flow_mgr.flows_notimeout | Total | 1<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65535<br/>
flow_mgr.rows_maxlen | Total | 1<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7078048<br/>
------------------------------------------------------------------------------------<br/>
Date: 2/15/2018 -- 10:19:50 (uptime: 0d, 00h 01m 04s)<br/>
------------------------------------------------------------------------------------<br/>
Counter | TM Name | Value<br/>
------------------------------------------------------------------------------------<br/>
capture.kernel_packets | Total | 101<br/>
capture.kernel_drops | Total | 67<br/>
decoder.pkts | Total | 101<br/>
decoder.bytes | Total | 7927<br/>
decoder.ipv4 | Total | 91<br/>
decoder.ipv6 | Total | 7<br/>
decoder.ethernet | Total | 101<br/>
decoder.tcp | Total | 66<br/>
decoder.icmpv4 | Total | 25<br/>
decoder.icmpv6 | Total | 7<br/>
decoder.avg_pkt_size | Total | 78<br/>
decoder.max_pkt_size | Total | 179<br/>
flow.tcp | Total | 12<br/>
flow.icmpv6 | Total | 7<br/>
tcp.sessions | Total | 3<br/>
tcp.syn | Total | 3<br/>
tcp.synack | Total | 46<br/>
tcp.rst | Total | 2<br/>
detect.alert | Total | 34<br/>
flow_mgr.new_pruned | Total | 7<br/>
flow.spare | Total | 10000<br/>
flow_mgr.rows_checked | Total | 65536<br/>
flow_mgr.rows_skipped | Total | 65536<br/>
tcp.memuse | Total | 606208<br/>
tcp.reassembly_memuse | Total | 81920<br/>
flow.memuse | Total | 7077760</div>
<div>---------------------<br/>
root@test::~# suricata --netmap -vv<br/>
15/2/2018 -- 10:18:41 - <Info> - Configuration node 'HOME_NET' redefined.<br/>
15/2/2018 -- 10:18:41 - <Notice> - This is Suricata version 4.0.3 RELEASE<br/>
15/2/2018 -- 10:18:41 - <Info> - CPUs/cores online: 4<br/>
15/2/2018 -- 10:18:41 - <Config> - Adding interface eth1 from config file<br/>
15/2/2018 -- 10:18:41 - <Info> - Netmap: Setting IPS mode<br/>
15/2/2018 -- 10:18:41 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33774 and 'request-body-inspect-window' set to 3948 after randomization.<br/>
15/2/2018 -- 10:18:41 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 40530 and 'response-body-inspect-window' set to 16199 after randomization.<br/>
15/2/2018 -- 10:18:41 - <Config> - DNS request flood protection level: 500<br/>
15/2/2018 -- 10:18:41 - <Config> - DNS per flow memcap (state-memcap): 524288<br/>
15/2/2018 -- 10:18:41 - <Config> - DNS global memcap: 16777216<br/>
15/2/2018 -- 10:18:41 - <Config> - Protocol detection and parser disabled for modbus protocol.<br/>
15/2/2018 -- 10:18:41 - <Config> - Protocol detection and parser disabled for enip protocol.<br/>
15/2/2018 -- 10:18:41 - <Config> - Protocol detection and parser disabled for DNP3.<br/>
15/2/2018 -- 10:18:41 - <Info> - Found an MTU of 1500 for 'eth1'<br/>
15/2/2018 -- 10:18:41 - <Info> - Found an MTU of 1500 for 'eth1'<br/>
15/2/2018 -- 10:18:41 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64<br/>
15/2/2018 -- 10:18:41 - <Config> - preallocated 1000 hosts of size 136<br/>
15/2/2018 -- 10:18:41 - <Config> - host memory usage: 398144 bytes, maximum: 33554432<br/>
15/2/2018 -- 10:18:41 - <Config> - Core dump size set to unlimited.<br/>
15/2/2018 -- 10:18:41 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56<br/>
15/2/2018 -- 10:18:41 - <Config> - preallocated 65535 defrag trackers of size 168<br/>
15/2/2018 -- 10:18:41 - <Config> - defrag memory usage: 14679896 bytes, maximum: 33554432<br/>
15/2/2018 -- 10:18:41 - <Config> - stream "prealloc-sessions": 2048 (per thread)<br/>
15/2/2018 -- 10:18:41 - <Config> - stream "memcap": 67108864<br/>
15/2/2018 -- 10:18:41 - <Config> - stream "midstream" session pickups: disabled<br/>
15/2/2018 -- 10:18:41 - <Config> - stream "async-oneside": disabled<br/>
15/2/2018 -- 10:18:41 - <Config> - stream "checksum-validation": enabled<br/>
15/2/2018 -- 10:18:41 - <Config> - stream."inline": enabled<br/>
15/2/2018 -- 10:18:41 - <Config> - stream "bypass": disabled<br/>
15/2/2018 -- 10:18:41 - <Config> - stream "max-synack-queued": 5<br/>
15/2/2018 -- 10:18:41 - <Config> - stream.reassembly "memcap": 268435456<br/>
15/2/2018 -- 10:18:41 - <Config> - stream.reassembly "depth": 1048576<br/>
15/2/2018 -- 10:18:41 - <Config> - stream.reassembly "toserver-chunk-size": 2491<br/>
15/2/2018 -- 10:18:41 - <Config> - stream.reassembly "toclient-chunk-size": 2482<br/>
15/2/2018 -- 10:18:41 - <Config> - stream.reassembly.raw: enabled<br/>
15/2/2018 -- 10:18:41 - <Config> - stream.reassembly "segment-prealloc": 2048<br/>
15/2/2018 -- 10:18:41 - <Config> - Delayed detect disabled<br/>
15/2/2018 -- 10:18:41 - <Info> - Running in live mode, activating unix socket<br/>
15/2/2018 -- 10:18:41 - <Config> - pattern matchers: MPM: ac, SPM: bm<br/>
15/2/2018 -- 10:18:41 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080<br/>
15/2/2018 -- 10:18:41 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060<br/>
15/2/2018 -- 10:18:41 - <Config> - prefilter engines: MPM<br/>
15/2/2018 -- 10:18:41 - <Config> - IP reputation disabled<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/test.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/botcc.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/ciarmy.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/compromised.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/drop.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/dshield.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/emerging-attack_response.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/emerging-chat.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/emerging-current_events.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/emerging-dns.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/emerging-dos.rules<br/>
15/2/2018 -- 10:18:41 - <Config> - Loading rule file: /etc/suricata/rules/emerging-exploit.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-ftp.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-imap.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-malware.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-misc.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-mobile_malware.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-netbios.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-p2p.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-policy.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-pop3.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-rpc.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-scan.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-smtp.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-snmp.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-sql.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-telnet.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-tftp.rules<br/>
15/2/2018 -- 10:18:42 - <Config> - Loading rule file: /etc/suricata/rules/emerging-trojan.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/emerging-user_agents.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/emerging-voip.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/emerging-web_client.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/emerging-web_server.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/emerging-worm.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/tor.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/http-events.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/smtp-events.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/dns-events.rules<br/>
15/2/2018 -- 10:18:44 - <Config> - Loading rule file: /etc/suricata/rules/tls-events.rules<br/>
15/2/2018 -- 10:18:44 - <Info> - 39 rule files processed. 12691 rules successfully loaded, 0 rules failed<br/>
15/2/2018 -- 10:18:44 - <Info> - Threshold config parsed: 0 rule(s) found<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for tcp-packet<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for tcp-stream<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for udp-packet<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for other-ip<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_uri<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_request_line<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_client_body<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_response_line<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_header<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_header<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_header_names<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_header_names<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_accept<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_accept_enc<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_accept_lang<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_referer<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_connection<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_content_len<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_content_len<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_content_type<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_content_type<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_protocol<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_protocol<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_start<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_start<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_raw_header<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_raw_header<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_method<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_cookie<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_cookie<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_raw_uri<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_user_agent<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_host<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_raw_host<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_stat_msg<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for http_stat_code<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for dns_query<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for tls_sni<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for tls_cert_issuer<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for tls_cert_subject<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for tls_cert_serial<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for dce_stub_data<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for dce_stub_data<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for ssh_protocol<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for ssh_protocol<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for ssh_software<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for ssh_software<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for file_data<br/>
15/2/2018 -- 10:18:44 - <Perf> - using shared mpm ctx' for file_data<br/>
15/2/2018 -- 10:18:44 - <Info> - 12696 signatures processed. 1164 are IP-only rules, 5305 are inspecting packet payload, 7797 inspect application layer, 0 are decoder event only<br/>
15/2/2018 -- 10:18:44 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete<br/>
15/2/2018 -- 10:18:44 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies<br/>
15/2/2018 -- 10:18:44 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies<br/>
15/2/2018 -- 10:18:44 - <Perf> - UDP toserver: 41 port groups, 31 unique SGH's, 10 copies<br/>
15/2/2018 -- 10:18:44 - <Perf> - UDP toclient: 21 port groups, 12 unique SGH's, 9 copies<br/>
15/2/2018 -- 10:18:44 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies<br/>
15/2/2018 -- 10:18:44 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies<br/>
15/2/2018 -- 10:18:45 - <Perf> - Unique rule groups: 107<br/>
15/2/2018 -- 10:18:45 - <Perf> - Builtin MPM "toserver TCP packet": 30<br/>
15/2/2018 -- 10:18:45 - <Perf> - Builtin MPM "toclient TCP packet": 19<br/>
15/2/2018 -- 10:18:45 - <Perf> - Builtin MPM "toserver TCP stream": 31<br/>
15/2/2018 -- 10:18:45 - <Perf> - Builtin MPM "toclient TCP stream": 21<br/>
15/2/2018 -- 10:18:45 - <Perf> - Builtin MPM "toserver UDP packet": 31<br/>
15/2/2018 -- 10:18:45 - <Perf> - Builtin MPM "toclient UDP packet": 11<br/>
15/2/2018 -- 10:18:45 - <Perf> - Builtin MPM "other IP packet": 2<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_uri": 7<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_request_line": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_client_body": 5<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient http_response_line": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_header": 6<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient http_header": 3<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_header_names": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_accept": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_referer": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_content_len": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_content_type": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_start": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_raw_header": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient http_raw_header": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_method": 3<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_cookie": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient http_cookie": 2<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_user_agent": 4<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver http_host": 2<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient http_stat_code": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver dns_query": 4<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver tls_sni": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toserver file_data": 1<br/>
15/2/2018 -- 10:18:45 - <Perf> - AppLayer MPM "toclient file_data": 5<br/>
15/2/2018 -- 10:18:46 - <Info> - fast output device (regular) initialized: fast.log<br/>
15/2/2018 -- 10:18:46 - <Info> - eve-log output device (regular) initialized: eve.json<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'alert'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'http'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'dns'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'tls'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'files'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'smtp'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'ssh'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'stats'<br/>
15/2/2018 -- 10:18:46 - <Config> - enabling 'eve-log' module 'flow'<br/>
15/2/2018 -- 10:18:46 - <Info> - stats output device (regular) initialized: stats.log<br/>
15/2/2018 -- 10:18:46 - <Info> - drop output device (regular) initialized: drop.log<br/>
15/2/2018 -- 10:18:46 - <Info> - Found 1 RX RSS queues for 'eth1'<br/>
15/2/2018 -- 10:18:46 - <Perf> - eth1: disabling rxcsum offloading<br/>
15/2/2018 -- 10:18:46 - <Perf> - Using 1 threads for interface eth1<br/>
15/2/2018 -- 10:18:46 - <Info> - Going to use 1 thread(s)<br/>
15/2/2018 -- 10:18:46 - <Perf> - Enabling zero copy mode for eth1->eth1<br/>
15/2/2018 -- 10:18:46 - <Config> - using 1 flow manager threads<br/>
15/2/2018 -- 10:18:46 - <Config> - using 1 flow recycler threads<br/>
15/2/2018 -- 10:18:46 - <Info> - Running in live mode, activating unix socket<br/>
15/2/2018 -- 10:18:46 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'<br/>
15/2/2018 -- 10:18:46 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.<br/>
15/2/2018 -- 10:19:50 - <Notice> - Signal Received. Stopping engine.<br/>
15/2/2018 -- 10:19:50 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state<br/>
15/2/2018 -- 10:19:50 - <Info> - time elapsed 64.058s<br/>
15/2/2018 -- 10:19:50 - <Perf> - 19 flows processed<br/>
15/2/2018 -- 10:19:50 - <Perf> - (W#01-eth1) Kernel: Packets 101, dropped 67, bytes 7927<br/>
15/2/2018 -- 10:19:50 - <Info> - (W#01-eth1) Dropped Packets 32<br/>
15/2/2018 -- 10:19:50 - <Info> - PACKET PKT_STREAM_ADD: 0<br/>
15/2/2018 -- 10:19:50 - <Info> - PAYLOAD MPM 7/875<br/>
15/2/2018 -- 10:19:50 - <Info> - STREAM MPM 0/0<br/>
15/2/2018 -- 10:19:50 - <Info> - PAYLOAD SIG 0/0<br/>
15/2/2018 -- 10:19:50 - <Info> - STREAM SIG 0/0<br/>
15/2/2018 -- 10:19:50 - <Info> - Alerts: 34<br/>
15/2/2018 -- 10:19:50 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216<br/>
15/2/2018 -- 10:19:50 - <Info> - segment_pool_memuse 0<br/>
15/2/2018 -- 10:19:50 - <Info> - segment_pool_memcnt 0<br/>
15/2/2018 -- 10:19:50 - <Perf> - host memory usage: 398144 bytes, maximum: 33554432<br/>
15/2/2018 -- 10:19:50 - <Perf> - htp memory 0 (0)<br/>
15/2/2018 -- 10:19:50 - <Info> - cleaning up signature grouping structure... complete<br/>
15/2/2018 -- 10:19:50 - <Notice> - Stats for 'eth1': pkts: 101, drop: 67 (66.34%), invalid chksum: 0<br/>
15/2/2018 -- 10:19:50 - <Perf> - eth1: restoring rxcsum offloading</div>
<div>--------------------</div>
<div> </div>
<div>Thanks for your help</div>
<div><br/>
</div>
</div>
<div> </div>
<div class="signature"> </div></div></body></html>