<div dir="ltr"><div>No, nothing. But in eve.json only appears logs like:</div><div><br></div><div>{"timestamp":"2018-06-19T07:39:39.798652+0000","event_type":"stats","stats":{"uptime":490,"capture":{"kernel_packets":642751,"kernel_drops":0,"bypassed":6133213300033},"decoder":{"pkts":643025,"bytes":47651302,"invalid":0,"ipv4":643025,"ipv6":0,"ethernet":643025,"raw":0,"null":0,"sll":0,"tcp":643025,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":643025,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":74,"max_pkt_size":1058,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":288796,"udp":0,"icmpv4":0,"icmpv6":0,"spare":400000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":142475512},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":189559,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":329034,"synack":0,"rst":0,"midstream_pickups":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":18350080,"reassembly_memuse":2621440},"detect":{"engines":[{"id":0,"last_reload":"2018-06-19T07:31:42.602932+0000","rules_loaded":18078,"rules_failed":0}],"alert":0,"mpm_list":0,"nonmpm_list":1161,"fnonmpm_list":1158,"match_list":1158},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"ftp-data":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"ftp-data":0,"dcerpc_udp":0,"dns_udp":0},"expectations":0},"flow_mgr":{"closed_pruned":0,"new_pruned":245579,"est_pruned":0,"bypassed_pruned":0,"flows_checked":1935,"flows_notimeout":1935,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":64018,"rows_empty":298,"rows_busy":0,"rows_maxlen":5},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0}}}</div><div><br></div><div>Only when suricata stops appears logs and flows as timeout like for example:</div><div><br></div><div>{"timestamp":"2018-06-19T07:39:39.796916+0000","flow_id":1970306366359069,"event_type":"flow","src_ip":"
192.168.5.253

","src_port":43376,"dest_ip":"10.2.31.208","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":156,"bytes_toclient":0,"start":"2018-06-19T07:38:56.378397+0000","end":"2018-06-19T07:38:56.378405+0000","age":0,"state":"new","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 19, 2018 at 9:08 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
> On 19 Jun 2018, at 09:52, C. L. Martinez <<a href="mailto:carlopmart@gmail.com">carlopmart@gmail.com</a>> wrote:<br>
> <br>
> Hi all,<br>
> <br>
>  I have problems with Suricata 4.1-beta1 and bpf filters. As an example:<br>
> <br>
> (ip and (src host (192.168.5.1 or 192.168.5.30 or 192.168.5.31 or 192.168.5 250 or 192.168.5 251 or 192.168.5.252 or 192.168.5.253 or 192.168.5.250 or 192.168.5.251 or 192.168.5.252 or 192.168.5.253) and<br>
>         (tcp dst port (22 or 25 or 80 or 443 or 445 or 8009 or 8080 or 8081 or 8082 or 8083 or 8084 or 8085 or 8086 or 8087 or 8088 or 8139 or 9443))) and<br>
> not host ( 192.168.6.35 or 192.168.6.36))<br>
> <br>
>  This filter works without problems in tcpdump, but suricata doesn't process it ... Suricata command line is:<br>
> <br>
> suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --pfring=eno2 -vvv -k none -F /etc/suricata/filter_policy.<wbr>conf<br>
<br>
<br>
Any warnings/errs in the start command output ?<br>
<br>
> <br>
> Any idea?<br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
> <br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
</blockquote></div><br></div>