<div dir="ltr"><div>It appears that if the HTTP info (URI, HOST, REFERER, USER AGENT) aren't known the file gets stored.</div><div><br></div><div>The info below comes from the file meta data files that are created for each capture.</div><div><br></div><div>foo.cap</div><div><br></div><div>magic: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: PDF document, version 1.4</div><div>app proto: http</div><div>http uri: /files/documents/2018/03/12/dor-2017-inc-sch-hc.pdf</div><div>http host: <a href="http://www.mass.gov">www.mass.gov</a></div><div>http referer: <a href="https://www.mass.gov/lists/2017-massachusetts-personal-income-tax-forms-and-instructions">https://www.mass.gov/lists/2017-massachusetts-personal-income-tax-forms-and-instructions</a></div><div>http user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko</div><div><br></div><div>magic: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: JPEG image data, JFIF standard 1.01</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: PDF document, version 1.6</div><div>app proto: http</div><div>http uri: /files/documents/2018/02/07/dor-2017-inc-sch-xy.pdf</div><div>http host: <a href="http://www.mass.gov">www.mass.gov</a></div><div>http referer: <a href="https://www.mass.gov/lists/2017-massachusetts-personal-income-tax-forms-and-instructions">https://www.mass.gov/lists/2017-massachusetts-personal-income-tax-forms-and-instructions</a></div><div>http user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko</div><div><br></div><div>magic: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: JPEG image data, JFIF standard 1.01</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: HTML document, ASCII text, with very long lines</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: HTML document, ASCII text, with very long lines</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: UTF-8 Unicode text, with very long lines</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div><br></div><div>boo.cap</div><div><br></div><div><br></div><div>magic: PNG image data, 3996 x 80, 8-bit colormap, non-interlaced</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: PNG image data, 492 x 400, 8-bit/color RGB, non-interlaced</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: HTML document, UTF-8 Unicode text, with very long lines, with no line terminators</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: data</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: PNG image data, 310 x 440, 8-bit colormap, non-interlaced</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: ASCII text, with very long lines</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: ASCII text, with very long lines</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: PNG image data, 320 x 198, 8-bit colormap, non-interlaced</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: PDF document, version 1.4</div><div>app proto: http</div><div>http uri: /archive3/GflUt00Q30KF03YzCLl43rm2po76/D3400UM_SG(En)02.pdf</div><div>http host: <a href="http://download.nikonimglib.com">download.nikonimglib.com</a></div><div>http referer: <a href="http://downloadcenter.nikonimglib.com/en/products/330/D3400.html">http://downloadcenter.nikonimglib.com/en/products/330/D3400.html</a></div><div>http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36</div><div><br></div><div>magic: PDF document, version 1.3</div><div>app proto: http</div><div>http uri: /biassets/bi/4128311.pdf</div><div>http host: <a href="http://www.lego.com">www.lego.com</a></div><div>http referer: <unknown></div><div>http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36</div><div><br></div><div>magic: PDF document, version 1.3</div><div>app proto: http</div><div>http uri: /biassets/bi/4128312.pdf</div><div>http host: <a href="http://www.lego.com">www.lego.com</a></div><div>http referer: <unknown></div><div>http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36</div><div><br></div><div>magic: JPEG image data, EXIF standard</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div>magic: PDF document, version 1.3</div><div>app proto: http</div><div>http uri: /biassets/bi/4132659.pdf</div><div>http host: <a href="http://www.lego.com">www.lego.com</a></div><div>http referer: <unknown></div><div>http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36</div><div><br></div><div>magic: UTF-8 Unicode text, with very long lines, with no line terminators</div><div>app proto: http</div><div>http uri: <unknown></div><div>http host: <unknown></div><div>http referer: <unknown></div><div>http user agent: <unknown></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 16, 2018 at 8:26 AM, Carl Rotenan <span dir="ltr"><<a href="mailto:carlrotenan@gmail.com" target="_blank">carlrotenan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Yes, the same issue with just filestore. <div><br></div><div>I'm also getting the same behavior with 4.0.5.</div><div><br></div><div>I'm looking to just extract files (PDF, archives, docs, etc) from HTTP and SMTP and have them shipped off for further processing.</div><div><br></div><div>The capture file can be found here:</div><div><br></div><div><a href="https://www.dropbox.com/s/kq8jl67km90qnef/foo.cap?dl=0" target="_blank">https://www.dropbox.com/s/<wbr>kq8jl67km90qnef/foo.cap?dl=0</a><br><div><br></div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 16, 2018 at 8:21 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><span><br><div><br>On 15 Aug 2018, at 18:16, Carl Rotenan <<a href="mailto:carlrotenan@gmail.com" target="_blank">carlrotenan@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div>I'm having trouble with file store version 2 on 4.1.0-rc1.</div><div><br></div><div>I have one rule that specifies to store PDF file based on a filemagic match of "PDF", see below.</div><div><br></div><div>[root@localhost filestore]# cat /etc/suricata/rules/carl.rules<wbr> <br>alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF"; filestore:both,file; sid:1; rev:1;)<br></div><div><br></div></div></div></blockquote><div><br></div></span><div>If you just try “filestore” would you have the same issue?</div><div><div class="m_6075006347667463749h5"><div><br></div><br><blockquote type="cite"><div><div dir="ltr"><div>The problem is that 10 files are being stored, 2 PDF files and 8 HTML files.</div><div><br></div><div><div>[root@localhost filestore]# ls -laR | grep "\-rw\-r\-\-r\-\-"<br></div><div>-rw-r--r--. 1 root root 104914 Aug 15 19:58 0a976d52cc0246accef29bd1dd55ef<wbr>1fc752fca2e0bae248ab8e1edff343<wbr>32ac</div><div>-rw-r--r--. 1 root root 5452 Aug 15 19:58 318a0285c3cfa27290787f568ae155<wbr>a87d203dbfcacfac2b617a0f3f4cb0<wbr>de46</div><div>-rw-r--r--. 1 root root 106496 Aug 15 19:58 3abe6a42b9f6ab1db57dc4bbc0a7aa<wbr>145a13ca1f8832c4e85b50ecab1ef7<wbr>19b2</div><div>-rw-r--r--. 1 root root 66177 Aug 15 19:58 7db3196532bfcac614288aedd903ba<wbr>900734ddd05b27e1b9d15a06ded88b<wbr>5b18</div><div>-rw-r--r--. 1 root root 50884 Aug 15 19:58 8929bc1979b7379062a105a54e5376<wbr>7c94901d7ae8846e84b0558efdd4a4<wbr>fe22</div><div>-rw-r--r--. 1 root root 106496 Aug 15 19:58 8994585a6830a2ba2b151c69f06443<wbr>3cfd6a34f3a771e759d42506375cff<wbr>2d4d</div><div>-rw-r--r--. 1 root root 34570 Aug 15 19:58 949e5724ca9cd642fb48e915148d92<wbr>77f0974b0f85668ca2262d070e3ed9<wbr>3757</div><div>-rw-r--r--. 1 root root 96014 Aug 15 19:58 c6f1db059595d3ff29e58129adf47f<wbr>94c0d55d0aa3efa26cecb24d21c8c2<wbr>0ffa</div><div>-rw-r--r--. 1 root root 77393 Aug 15 19:58 d83b46b8d0c391019f8857d0b7c73f<wbr>65c7a4cd534bdb60c4026048c645f8<wbr>482c</div><div>-rw-r--r--. 1 root root 85157 Aug 15 19:58 f120af96856274bc67184f5d88d93a<wbr>8c593fa841a858fc36bb9ed1e13774<wbr>e43f</div><div>[root@localhost filestore]# ls -laR | grep "\-rw\-r\-\-r\-\-" | wc -l</div><div>10</div><div>[root@localhost filestore]# </div></div><div><br></div><div>Any thoughts? </div><div><br></div><div>Thanks in advance.</div><div><br></div><div><br></div><div>Debug info:</div><div><br></div>[root@localhost filestore]# suricata -V<br>This is Suricata version 4.1.0-rc1 RELEASE<div><br></div><div>[root@localhost filestore]# suricata -r /root/foo.cap -vvvvvvvvvvvvvvvvvv -c /etc/suricata/suricata.yaml --dump-config</div><div>pcap-file = (null)</div><div>pcap-file.file = /root/foo.cap</div><div>pcap-file.checksum-checks = auto</div><div>vars = (null)</div><div>vars.address-groups = (null)</div><div>vars.address-groups.HOME_NET = [<a href="http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12" target="_blank">192.168.0.0/16,10.0.0.0/8,172<wbr>.16.0.0/12</a>]</div><div>vars.address-groups.EXTERNAL_N<wbr>ET = !$HOME_NET</div><div>vars.address-groups.HTTP_SERVE<wbr>RS = $HOME_NET</div><div>vars.address-groups.SMTP_SERVE<wbr>RS = $HOME_NET</div><div>vars.address-groups.SQL_SERVER<wbr>S = $HOME_NET</div><div>vars.address-groups.DNS_SERVER<wbr>S = $HOME_NET</div><div>vars.address-groups.TELNET_SER<wbr>VERS = $HOME_NET</div><div>vars.address-groups.AIM_SERVER<wbr>S = $EXTERNAL_NET</div><div>vars.address-groups.DNP3_SERVE<wbr>R = $HOME_NET</div><div>vars.address-groups.DNP3_CLIEN<wbr>T = $HOME_NET</div><div>vars.address-groups.MODBUS_CLI<wbr>ENT = $HOME_NET</div><div>vars.address-groups.MODBUS_SER<wbr>VER = $HOME_NET</div><div>vars.address-groups.ENIP_CLIEN<wbr>T = $HOME_NET</div><div>vars.address-groups.ENIP_SERVE<wbr>R = $HOME_NET</div><div>vars.port-groups = (null)</div><div>vars.port-groups.HTTP_PORTS = 80</div><div>vars.port-groups.SHELLCODE_POR<wbr>TS = !80</div><div>vars.port-groups.ORACLE_PORTS = 1521</div><div>vars.port-groups.SSH_PORTS = 22</div><div>vars.port-groups.DNP3_PORTS = 20000</div><div>vars.port-groups.MODBUS_PORTS = 502</div><div>vars.port-groups.FILE_DATA_POR<wbr>TS = [$HTTP_PORTS,110,143]</div><div>vars.port-groups.FTP_PORTS = 21</div><div>default-log-dir = /var/log/suricata/</div><div>stats = (null)</div><div>stats.enabled = yes</div><div>stats.interval = 8</div><div>outputs = (null)</div><div>outputs.0 = fast</div><div>outputs.0.fast = (null)</div><div>outputs.0.fast.enabled = yes</div><div>outputs.0.fast.filename = fast.log</div><div>outputs.0.fast.append = yes</div><div>outputs.1 = eve-log</div><div>outputs.1.eve-log = (null)</div><div>outputs.1.eve-log.enabled = yes</div><div>outputs.1.eve-log.filetype = regular</div><div>outputs.1.eve-log.filename = eve.json</div><div>outputs.1.eve-log.pcap-file = false</div><div>outputs.1.eve-log.xff = (null)</div><div>outputs.1.eve-log.xff.enabled = no</div><div>outputs.1.eve-log.xff.mode = extra-data</div><div>outputs.1.eve-log.xff.deployme<wbr>nt = reverse</div><div>outputs.1.eve-log.xff.header = X-Forwarded-For</div><div>outputs.1.eve-log.types = (null)</div><div>outputs.1.eve-log.types.0 = alert</div><div>outputs.1.eve-log.types.0.aler<wbr>t = (null)</div><div>outputs.1.eve-log.types.0.aler<wbr>t.tagged-packets = yes</div><div>outputs.1.eve-log.types.1 = http</div><div>outputs.1.eve-log.types.1.http = (null)</div><div>outputs.1.eve-log.types.1.http<wbr>.extended = yes</div><div>outputs.1.eve-log.types.2 = dns</div><div>outputs.1.eve-log.types.2.dns = (null)</div><div>outputs.1.eve-log.types.2.dns.<wbr>version = 2</div><div>outputs.1.eve-log.types.3 = tls</div><div>outputs.1.eve-log.types.3.tls = (null)</div><div>outputs.1.eve-log.types.3.tls.<wbr>extended = yes</div><div>outputs.1.eve-log.types.4 = smtp</div><div>outputs.1.eve-log.types.4.smtp = </div><div>outputs.1.eve-log.types.5 = dhcp</div><div>outputs.1.eve-log.types.5.dhcp = (null)</div><div>outputs.1.eve-log.types.5.dhcp<wbr>.enabled = no</div><div>outputs.1.eve-log.types.5.dhcp<wbr>.extended = no</div><div>outputs.1.eve-log.types.6 = ssh</div><div>outputs.1.eve-log.types.7 = stats</div><div>outputs.1.eve-log.types.7.stat<wbr>s = (null)</div><div>outputs.1.eve-log.types.7.stat<wbr>s.totals = yes</div><div>outputs.1.eve-log.types.7.stat<wbr>s.threads = no</div><div>outputs.1.eve-log.types.7.stat<wbr>s.deltas = no</div><div>outputs.1.eve-log.types.8 = flow</div><div>outputs.2 = unified2-alert</div><div>outputs.2.unified2-alert = (null)</div><div>outputs.2.unified2-alert.enabl<wbr>ed = no</div><div>outputs.2.unified2-alert.filen<wbr>ame = unified2.alert</div><div>outputs.2.unified2-alert.xff = (null)</div><div>outputs.2.unified2-alert.xff.e<wbr>nabled = no</div><div>outputs.2.unified2-alert.xff.m<wbr>ode = extra-data</div><div>outputs.2.unified2-alert.xff.d<wbr>eployment = reverse</div><div>outputs.2.unified2-alert.xff.h<wbr>eader = X-Forwarded-For</div><div>outputs.3 = http-log</div><div>outputs.3.http-log = (null)</div><div>outputs.3.http-log.enabled = no</div><div>outputs.3.http-log.filename = http.log</div><div>outputs.3.http-log.append = yes</div><div>outputs.4 = tls-log</div><div>outputs.4.tls-log = (null)</div><div>outputs.4.tls-log.enabled = no</div><div>outputs.4.tls-log.filename = tls.log</div><div>outputs.4.tls-log.append = yes</div><div>outputs.5 = tls-store</div><div>outputs.5.tls-store = (null)</div><div>outputs.5.tls-store.enabled = no</div><div>outputs.6 = dns-log</div><div>outputs.6.dns-log = (null)</div><div>outputs.6.dns-log.enabled = no</div><div>outputs.6.dns-log.filename = dns.log</div><div>outputs.6.dns-log.append = yes</div><div>outputs.7 = pcap-log</div><div>outputs.7.pcap-log = (null)</div><div>outputs.7.pcap-log.enabled = no</div><div>outputs.7.pcap-log.filename = log.pcap</div><div>outputs.7.pcap-log.limit = 1000mb</div><div>outputs.7.pcap-log.max-files = 2000</div><div>outputs.7.pcap-log.compression = none</div><div>outputs.7.pcap-log.mode = normal</div><div>outputs.7.pcap-log.use-stream-<wbr>depth = no</div><div>outputs.7.pcap-log.honor-pass-<wbr>rules = no</div><div>outputs.8 = alert-debug</div><div>outputs.8.alert-debug = (null)</div><div>outputs.8.alert-debug.enabled = no</div><div>outputs.8.alert-debug.filename = alert-debug.log</div><div>outputs.8.alert-debug.append = yes</div><div>outputs.9 = alert-prelude</div><div>outputs.9.alert-prelude = (null)</div><div>outputs.9.alert-prelude.enable<wbr>d = no</div><div>outputs.9.alert-prelude.profil<wbr>e = suricata</div><div>outputs.9.alert-prelude.log-pa<wbr>cket-content = no</div><div>outputs.9.alert-prelude.log-pa<wbr>cket-header = yes</div><div>outputs.10 = stats</div><div>outputs.10.stats = (null)</div><div>outputs.10.stats.enabled = yes</div><div>outputs.10.stats.filename = stats.log</div><div>outputs.10.stats.append = yes</div><div>outputs.10.stats.totals = yes</div><div>outputs.10.stats.threads = no</div><div>outputs.11 = syslog</div><div>outputs.11.syslog = (null)</div><div>outputs.11.syslog.enabled = no</div><div>outputs.11.syslog.facility = local5</div><div>outputs.12 = drop</div><div>outputs.12.drop = (null)</div><div>outputs.12.drop.enabled = no</div><div>outputs.12.drop.filename = drop.log</div><div>outputs.12.drop.append = yes</div><div>outputs.13 = file-store</div><div>outputs.13.file-store = (null)</div><div>outputs.13.file-store.version = 2</div><div>outputs.13.file-store.enabled = yes</div><div>outputs.13.file-store.write-fi<wbr>leinfo = no</div><div>outputs.13.file-store.force-fi<wbr>lestore = no</div><div>outputs.13.file-store.xff = (null)</div><div>outputs.13.file-store.xff.enab<wbr>led = no</div><div>outputs.13.file-store.xff.mode = extra-data</div><div>outputs.13.file-store.xff.depl<wbr>oyment = reverse</div><div>outputs.13.file-store.xff.head<wbr>er = X-Forwarded-For</div><div>outputs.14 = file-log</div><div>outputs.14.file-log = (null)</div><div>outputs.14.file-log.enabled = yes</div><div>outputs.14.file-log.filename = files-json.log</div><div>outputs.14.file-log.append = yes</div><div>outputs.14.file-log.force-magi<wbr>c = no</div><div>outputs.15 = tcp-data</div><div>outputs.15.tcp-data = (null)</div><div>outputs.15.tcp-data.enabled = no</div><div>outputs.15.tcp-data.type = file</div><div>outputs.15.tcp-data.filename = tcp-data.log</div><div>outputs.16 = http-body-data</div><div>outputs.16.http-body-data = (null)</div><div>outputs.16.http-body-data.enab<wbr>led = no</div><div>outputs.16.http-body-data.type = file</div><div>outputs.16.http-body-data.file<wbr>name = http-data.log</div><div>outputs.17 = lua</div><div>outputs.17.lua = (null)</div><div>outputs.17.lua.enabled = no</div><div>outputs.17.lua.scripts = </div><div>logging = (null)</div><div>logging.default-log-level = notice</div><div>logging.default-output-filter = </div><div>logging.outputs = (null)</div><div>logging.outputs.0 = console</div><div>logging.outputs.0.console = (null)</div><div>logging.outputs.0.console.enab<wbr>led = yes</div><div>logging.outputs.1 = file</div><div>logging.outputs.1.file = (null)</div><div>logging.outputs.1.file.enabled = yes</div><div>logging.outputs.1.file.level = info</div><div>logging.outputs.1.file.filenam<wbr>e = /var/log/suricata/suricata.log</div><div>logging.outputs.2 = syslog</div><div>logging.outputs.2.syslog = (null)</div><div>logging.outputs.2.syslog.enabl<wbr>ed = no</div><div>logging.outputs.2.syslog.facil<wbr>ity = local5</div><div>logging.outputs.2.syslog.forma<wbr>t = [%i] <%d> -- </div><div>af-packet = (null)</div><div>af-packet.0 = interface</div><div>af-packet.0.interface = eth0</div><div>af-packet.0.cluster-id = 99</div><div>af-packet.0.cluster-type = cluster_flow</div><div>af-packet.0.defrag = yes</div><div>af-packet.1 = interface</div><div>af-packet.1.interface = default</div><div>pcap = (null)</div><div>pcap.0 = interface</div><div>pcap.0.interface = eth0</div><div>pcap.1 = interface</div><div>pcap.1.interface = default</div><div>app-layer = (null)</div><div>app-layer.protocols = (null)</div><div>app-layer.protocols.krb5 = (null)</div><div>app-layer.protocols.krb5.enabl<wbr>ed = no</div><div>app-layer.protocols.ikev2 = (null)</div><div>app-layer.protocols.ikev2.enab<wbr>led = yes</div><div>app-layer.protocols.tls = (null)</div><div>app-layer.protocols.tls.enable<wbr>d = yes</div><div>app-layer.protocols.tls.detect<wbr>ion-ports = (null)</div><div>app-layer.protocols.tls.detect<wbr>ion-ports.dp = 443</div><div>app-layer.protocols.tls.ja3-fi<wbr>ngerprints = no</div><div>app-layer.protocols.dcerpc = (null)</div><div>app-layer.protocols.dcerpc.ena<wbr>bled = yes</div><div>app-layer.protocols.ftp = (null)</div><div>app-layer.protocols.ftp.enable<wbr>d = yes</div><div>app-layer.protocols.ssh = (null)</div><div>app-layer.protocols.ssh.enable<wbr>d = yes</div><div>app-layer.protocols.smtp = (null)</div><div>app-layer.protocols.smtp.enabl<wbr>ed = yes</div><div>app-layer.protocols.smtp.mime = (null)</div><div>app-layer.protocols.smtp.mime.<wbr>decode-mime = yes</div><div>app-layer.protocols.smtp.mime.<wbr>decode-base64 = yes</div><div>app-layer.protocols.smtp.mime.<wbr>decode-quoted-printable = yes</div><div>app-layer.protocols.smtp.mime.<wbr>header-value-depth = 2000</div><div>app-layer.protocols.smtp.mime.<wbr>extract-urls = yes</div><div>app-layer.protocols.smtp.mime.<wbr>body-md5 = no</div><div>app-layer.protocols.smtp.inspe<wbr>cted-tracker = (null)</div><div>app-layer.protocols.smtp.inspe<wbr>cted-tracker.content-limit = 100000</div><div>app-layer.protocols.smtp.inspe<wbr>cted-tracker.content-inspect-<wbr>min-size = 32768</div><div>app-layer.protocols.smtp.inspe<wbr>cted-tracker.content-inspect-<wbr>window = 4096</div><div>app-layer.protocols.imap = (null)</div><div>app-layer.protocols.imap.enabl<wbr>ed = detection-only</div><div>app-layer.protocols.msn = (null)</div><div>app-layer.protocols.msn.enable<wbr>d = detection-only</div><div>app-layer.protocols.smb = (null)</div><div>app-layer.protocols.smb.enable<wbr>d = yes</div><div>app-layer.protocols.smb.detect<wbr>ion-ports = (null)</div><div>app-layer.protocols.smb.detect<wbr>ion-ports.dp = 139, 445</div><div>app-layer.protocols.nfs = (null)</div><div>app-layer.protocols.nfs.enable<wbr>d = no</div><div>app-layer.protocols.tftp = (null)</div><div>app-layer.protocols.tftp.enabl<wbr>ed = no</div><div>app-layer.protocols.dns = (null)</div><div>app-layer.protocols.dns.tcp = (null)</div><div>app-layer.protocols.dns.tcp.en<wbr>abled = yes</div><div><a href="http://app-layer.protocols.dns.tcp.de">app-layer.protocols.dns.tcp.de</a><wbr>tection-ports = (null)</div><div><a href="http://app-layer.protocols.dns.tcp.de">app-layer.protocols.dns.tcp.de</a><wbr>tection-ports.dp = 53</div><div>app-layer.protocols.dns.udp = (null)</div><div>app-layer.protocols.dns.udp.en<wbr>abled = yes</div><div><a href="http://app-layer.protocols.dns.udp.de">app-layer.protocols.dns.udp.de</a><wbr>tection-ports = (null)</div><div><a href="http://app-layer.protocols.dns.udp.de">app-layer.protocols.dns.udp.de</a><wbr>tection-ports.dp = 53</div><div>app-layer.protocols.http = (null)</div><div>app-layer.protocols.http.enabl<wbr>ed = yes</div><div>app-layer.protocols.http.libht<wbr>p = (null)</div><div>app-layer.protocols.http.libht<wbr>p.default-config = (null)</div><div>app-layer.protocols.http.libht<wbr>p.default-config.personality = IDS</div><div>app-layer.protocols.http.libht<wbr>p.default-config.request-body-<wbr>limit = 100kb</div><div>app-layer.protocols.http.libht<wbr>p.default-config.response-<wbr>body-limit = 100kb</div><div>app-layer.protocols.http.libht<wbr>p.default-config.request-body-<wbr>minimal-inspect-size = 32kb</div><div>app-layer.protocols.http.libht<wbr>p.default-config.request-body-<wbr>inspect-window = 4kb</div><div>app-layer.protocols.http.libht<wbr>p.default-config.response-<wbr>body-minimal-inspect-size = 40kb</div><div>app-layer.protocols.http.libht<wbr>p.default-config.response-<wbr>body-inspect-window = 16kb</div><div>app-layer.protocols.http.libht<wbr>p.default-config.response-<wbr>body-decompress-layer-limit = 2</div><div>app-layer.protocols.http.libht<wbr>p.default-config.http-body-<wbr>inline = auto</div><div>app-layer.protocols.http.libht<wbr>p.default-config.swf-decompres<wbr>sion = (null)</div><div>app-layer.protocols.http.libht<wbr>p.default-config.swf-decompres<wbr>sion.enabled = yes</div><div>app-layer.protocols.http.libht<wbr>p.default-config.swf-decompres<wbr>sion.type = both</div><div>app-layer.protocols.http.libht<wbr>p.default-config.swf-decompres<wbr>sion.compress-depth = 0</div><div>app-layer.protocols.http.libht<wbr>p.default-config.swf-decompres<wbr>sion.decompress-depth = 0</div><div>app-layer.protocols.http.libht<wbr>p.default-config.double-decode<wbr>-path = no</div><div>app-layer.protocols.http.libht<wbr>p.default-config.double-decode<wbr>-query = no</div><div>app-layer.protocols.http.libht<wbr>p.server-config = </div><div>app-layer.protocols.modbus = (null)</div><div>app-layer.protocols.modbus.ena<wbr>bled = no</div><div>app-layer.protocols.modbus.det<wbr>ection-ports = (null)</div><div>app-layer.protocols.modbus.det<wbr>ection-ports.dp = 502</div><div>app-layer.protocols.modbus.str<wbr>eam-depth = 0</div><div>app-layer.protocols.dnp3 = (null)</div><div>app-layer.protocols.dnp3.enabl<wbr>ed = no</div><div>app-layer.protocols.dnp3.detec<wbr>tion-ports = (null)</div><div>app-layer.protocols.dnp3.detec<wbr>tion-ports.dp = 20000</div><div>app-layer.protocols.enip = (null)</div><div>app-layer.protocols.enip.enabl<wbr>ed = no</div><div>app-layer.protocols.enip.detec<wbr>tion-ports = (null)</div><div>app-layer.protocols.enip.detec<wbr>tion-ports.dp = 44818</div><div>app-layer.protocols.enip.detec<wbr>tion-ports.sp = 44818</div><div>app-layer.protocols.ntp = (null)</div><div>app-layer.protocols.ntp.enable<wbr>d = no</div><div>app-layer.protocols.dhcp = (null)</div><div>app-layer.protocols.dhcp.enabl<wbr>ed = no</div><div>asn1-max-frames = 256</div><div>coredump = (null)</div><div>coredump.max-dump = unlimited</div><div>host-mode = auto</div><div>unix-command = (null)</div><div>unix-command.enabled = auto</div><div>legacy = (null)</div><div>legacy.uricontent = enabled</div><div>engine-analysis = (null)</div><div>engine-analysis.rules-fast-pat<wbr>tern = yes</div><div>engine-analysis.rules = yes</div><div>pcre = (null)</div><div>pcre.match-limit = 3500</div><div>pcre.match-limit-recursion = 1500</div><div>host-os-policy = (null)</div><div>host-os-policy.windows = (null)</div><div>host-os-policy.windows.0 = <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div>host-os-policy.bsd = (null)</div><div>host-os-policy.bsd-right = (null)</div><div>host-os-policy.old-linux = (null)</div><div>host-os-policy.linux = (null)</div><div>host-os-policy.old-solaris = (null)</div><div>host-os-policy.solaris = (null)</div><div>host-os-policy.hpux10 = (null)</div><div>host-os-policy.hpux11 = (null)</div><div>host-os-policy.irix = (null)</div><div>host-os-policy.macos = (null)</div><div>host-os-policy.vista = (null)</div><div>host-os-policy.windows2k3 = (null)</div><div>defrag = (null)</div><div>defrag.memcap = 32mb</div><div>defrag.hash-size = 65536</div><div>defrag.trackers = 65535</div><div>defrag.max-frags = 65535</div><div>defrag.prealloc = yes</div><div>defrag.timeout = 60</div><div>flow = (null)</div><div>flow.memcap = 128mb</div><div>flow.hash-size = 65536</div><div>flow.prealloc = 10000</div><div>flow.emergency-recovery = 30</div><div>vlan = (null)</div><div>vlan.use-for-tracking = true</div><div>flow-timeouts = (null)</div><div>flow-timeouts.default = (null)</div><div>flow-timeouts.default.new = 30</div><div>flow-timeouts.default.establis<wbr>hed = 300</div><div>flow-timeouts.default.closed = 0</div><div>flow-timeouts.default.bypassed = 100</div><div>flow-timeouts.default.emergenc<wbr>y-new = 10</div><div>flow-timeouts.default.emergenc<wbr>y-established = 100</div><div>flow-timeouts.default.emergenc<wbr>y-closed = 0</div><div>flow-timeouts.default.emergenc<wbr>y-bypassed = 50</div><div>flow-timeouts.tcp = (null)</div><div>flow-timeouts.tcp.new = 60</div><div>flow-timeouts.tcp.established = 600</div><div>flow-timeouts.tcp.closed = 60</div><div>flow-timeouts.tcp.bypassed = 100</div><div>flow-timeouts.tcp.emergency-ne<wbr>w = 5</div><div>flow-timeouts.tcp.emergency-es<wbr>tablished = 100</div><div>flow-timeouts.tcp.emergency-cl<wbr>osed = 10</div><div>flow-timeouts.tcp.emergency-by<wbr>passed = 50</div><div>flow-timeouts.udp = (null)</div><div>flow-timeouts.udp.new = 30</div><div>flow-timeouts.udp.established = 300</div><div>flow-timeouts.udp.bypassed = 100</div><div>flow-timeouts.udp.emergency-ne<wbr>w = 10</div><div>flow-timeouts.udp.emergency-es<wbr>tablished = 100</div><div>flow-timeouts.udp.emergency-by<wbr>passed = 50</div><div>flow-timeouts.icmp = (null)</div><div>flow-timeouts.icmp.new = 30</div><div>flow-timeouts.icmp.established = 300</div><div>flow-timeouts.icmp.bypassed = 100</div><div>flow-timeouts.icmp.emergency-n<wbr>ew = 10</div><div>flow-timeouts.icmp.emergency-e<wbr>stablished = 100</div><div>flow-timeouts.icmp.emergency-b<wbr>ypassed = 50</div><div>stream = (null)</div><div>stream.memcap = 64mb</div><div>stream.checksum-validation = yes</div><div>stream.inline = auto</div><div>stream.reassembly = (null)</div><div>stream.reassembly.memcap = 256mb</div><div>stream.reassembly.depth = 1mb</div><div>stream.reassembly.toserver-chu<wbr>nk-size = 2560</div><div>stream.reassembly.toclient-chu<wbr>nk-size = 2560</div><div>stream.reassembly.randomize-ch<wbr>unk-size = yes</div><div>host = (null)</div><div>host.hash-size = 4096</div><div>host.prealloc = 1000</div><div>host.memcap = 32mb</div><div>decoder = (null)</div><div>decoder.teredo = (null)</div><div>decoder.teredo.enabled = true</div><div>detect = (null)</div><div>detect.profile = medium</div><div>detect.custom-values = (null)</div><div>detect.custom-values.toclient-<wbr>groups = 3</div><div>detect.custom-values.toserver-<wbr>groups = 25</div><div>detect.sgh-mpm-context = auto</div><div>detect.inspection-recursion-li<wbr>mit = 3000</div><div>detect.prefilter = (null)</div><div>detect.prefilter.default = mpm</div><div>detect.grouping = </div><div>detect.profiling = (null)</div><div>detect.profiling.grouping = (null)</div><div>detect.profiling.grouping.dump<wbr>-to-disk = false</div><div>detect.profiling.grouping.incl<wbr>ude-rules = false</div><div>detect.profiling.grouping.incl<wbr>ude-mpm-stats = false</div><div>mpm-algo = auto</div><div>spm-algo = auto</div><div>threading = (null)</div><div>threading.set-cpu-affinity = no</div><div>threading.cpu-affinity = (null)</div><div>threading.cpu-affinity.0 = management-cpu-set</div><div>threading.cpu-affinity.0.manag<wbr>ement-cpu-set = (null)</div><div>threading.cpu-affinity.0.manag<wbr>ement-cpu-set.cpu = (null)</div><div>threading.cpu-affinity.0.manag<wbr>ement-cpu-set.cpu.0 = 0</div><div>threading.cpu-affinity.1 = receive-cpu-set</div><div>threading.cpu-affinity.1.recei<wbr>ve-cpu-set = (null)</div><div>threading.cpu-affinity.1.recei<wbr>ve-cpu-set.cpu = (null)</div><div>threading.cpu-affinity.1.recei<wbr>ve-cpu-set.cpu.0 = 0</div><div>threading.cpu-affinity.2 = worker-cpu-set</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set = (null)</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.cpu = (null)</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.cpu.0 = all</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.mode = exclusive</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio = (null)</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio.low = (null)</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio.low.0 = 0</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio.medium = (null)</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio.medium.0 = 1-2</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio.high = (null)</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio.high.0 = 3</div><div>threading.cpu-affinity.2.worke<wbr>r-cpu-set.prio.default = medium</div><div>threading.detect-thread-ratio = 1.0</div><div>luajit = (null)</div><div>luajit.states = 128</div><div>profiling = (null)</div><div>profiling.rules = (null)</div><div>profiling.rules.enabled = yes</div><div>profiling.rules.filename = rule_perf.log</div><div>profiling.rules.append = yes</div><div>profiling.rules.limit = 10</div><div>profiling.rules.json = yes</div><div>profiling.keywords = (null)</div><div>profiling.keywords.enabled = yes</div><div>profiling.keywords.filename = keyword_perf.log</div><div>profiling.keywords.append = yes</div><div>profiling.prefilter = (null)</div><div>profiling.prefilter.enabled = yes</div><div>profiling.prefilter.filename = prefilter_perf.log</div><div>profiling.prefilter.append = yes</div><div>profiling.rulegroups = (null)</div><div>profiling.rulegroups.enabled = yes</div><div>profiling.rulegroups.filename = rule_group_perf.log</div><div>profiling.rulegroups.append = yes</div><div>profiling.packets = (null)</div><div>profiling.packets.enabled = yes</div><div>profiling.packets.filename = packet_stats.log</div><div>profiling.packets.append = yes</div><div>profiling.packets.csv = (null)</div><div>profiling.packets.csv.enabled = no</div><div>profiling.packets.csv.filename = packet_stats.csv</div><div>profiling.locks = (null)</div><div>profiling.locks.enabled = no</div><div>profiling.locks.filename = lock_stats.log</div><div>profiling.locks.append = yes</div><div>profiling.pcap-log = (null)</div><div>profiling.pcap-log.enabled = no</div><div>profiling.pcap-log.filename = pcaplog_stats.log</div><div>profiling.pcap-log.append = yes</div><div>nfq = </div><div>nflog = (null)</div><div>nflog.0 = group</div><div>nflog.0.group = 2</div><div>nflog.0.buffer-size = 18432</div><div>nflog.1 = group</div><div>nflog.1.group = default</div><div>nflog.1.qthreshold = 1</div><div>nflog.1.qtimeout = 100</div><div>nflog.1.max-size = 20000</div><div>capture = </div><div>netmap = (null)</div><div>netmap.0 = interface</div><div>netmap.0.interface = eth2</div><div>netmap.1 = interface</div><div>netmap.1.interface = default</div><div>pfring = (null)</div><div>pfring.0 = interface</div><div>pfring.0.interface = eth0</div><div>pfring.0.threads = 1</div><div>pfring.0.cluster-id = 99</div><div>pfring.0.cluster-type = cluster_flow</div><div>pfring.1 = interface</div><div>pfring.1.interface = default</div><div>ipfw = </div><div>napatech = (null)</div><div>napatech.hba = -1</div><div>napatech.use-all-streams = yes</div><div>napatech.streams = (null)</div><div>napatech.streams.0 = 0-3</div><div>mpipe = (null)</div><div>mpipe.load-balance = dynamic</div><div>mpipe.iqueue-packets = 2048</div><div>mpipe.inputs = (null)</div><div>mpipe.inputs.0 = interface</div><div>mpipe.inputs.0.interface = xgbe2</div><div>mpipe.inputs.1 = interface</div><div>mpipe.inputs.1.interface = xgbe3</div><div>mpipe.inputs.2 = interface</div><div>mpipe.inputs.2.interface = xgbe4</div><div>mpipe.stack = (null)</div><div>mpipe.stack.size128 = 0</div><div>mpipe.stack.size256 = 9</div><div>mpipe.stack.size512 = 0</div><div>mpipe.stack.size1024 = 0</div><div>mpipe.stack.size1664 = 7</div><div>mpipe.stack.size4096 = 0</div><div>mpipe.stack.size10386 = 0</div><div>mpipe.stack.size16384 = 0</div><div>default-rule-path = /etc/suricata/rules</div><div>rule-files = (null)</div><div>rule-files.0 = carl.rules</div><br><div><br></div><div>[root@localhost filestore]# suricata -r /root/foo.cap -v -c /etc/suricata/suricata.yaml </div><div>15/8/2018 -- 20:02:01 - <Notice> - This is Suricata version 4.1.0-rc1 RELEASE</div><div>15/8/2018 -- 20:02:01 - <Info> - CPUs/cores online: 1</div><div>15/8/2018 -- 20:02:01 - <Info> - fast output device (regular) initialized: fast.log</div><div>15/8/2018 -- 20:02:01 - <Info> - eve-log output device (regular) initialized: eve.json</div><div>15/8/2018 -- 20:02:01 - <Info> - stats output device (regular) initialized: stats.log</div><div>15/8/2018 -- 20:02:01 - <Info> - file-log output device (regular) initialized: files-json.log</div><div>15/8/2018 -- 20:02:01 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed</div><div>15/8/2018 -- 20:02:01 - <Info> - Threshold config parsed: 0 rule(s) found</div><div>15/8/2018 -- 20:02:01 - <Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only</div><div>15/8/2018 -- 20:02:01 - <Info> - Checking file or directory /root/foo.cap</div><div>15/8/2018 -- 20:02:01 - <Info> - /root/foo.cap: Plain file, not a directory</div><div>15/8/2018 -- 20:02:01 - <Info> - Argument /root/foo.cap was a file</div><div>15/8/2018 -- 20:02:01 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.</div><div>15/8/2018 -- 20:02:01 - <Info> - Starting file run for /root/foo.cap</div><div>15/8/2018 -- 20:02:01 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used</div><div>15/8/2018 -- 20:02:01 - <Info> - pcap file /root/foo.cap end of file reached (pcap err code 0)</div><div>15/8/2018 -- 20:02:01 - <Notice> - Signal Received. Stopping engine.</div><div>15/8/2018 -- 20:02:01 - <Info> - time elapsed 0.256s</div><div>15/8/2018 -- 20:02:01 - <Notice> - Pcap-file module read 1 files, 6660 packets, 2777051 bytes</div><div>15/8/2018 -- 20:02:01 - <Info> - (W#01) Files logged: 159</div><div>15/8/2018 -- 20:02:01 - <Info> - Alerts: 2</div><div>15/8/2018 -- 20:02:01 - <Info> - cleaning up signature grouping structure... complete</div><div><br></div><div><br></div><div><br></div></div>
</div></blockquote></div></div><span><blockquote type="cite"><div><span>______________________________<wbr>_________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a></span><br><span>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/train<wbr>ing/</a></span></div></blockquote></span></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>