18/11/2019 -- 08:43:27 - - Running suricata under test mode 18/11/2019 -- 08:43:27 - - Including configuration file vars.yaml. 18/11/2019 -- 08:43:27 - - Including configuration file uniq_idstest.yaml. 18/11/2019 -- 08:43:27 - - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode 18/11/2019 -- 08:43:27 - - CPUs/cores online: 32 18/11/2019 -- 08:43:27 - - luajit states preallocated: 128 18/11/2019 -- 08:43:27 - - 'default' server has 'request-body-minimal-inspect-size' set to 32073 and 'request-body-inspect-window' set to 4112 after randomization. 18/11/2019 -- 08:43:27 - - 'default' server has 'response-body-minimal-inspect-size' set to 39167 and 'response-body-inspect-window' set to 16002 after randomization. 18/11/2019 -- 08:43:27 - - HTTP memcap: 6442450944 18/11/2019 -- 08:43:27 - - SMB stream depth: 0 18/11/2019 -- 08:43:27 - - Protocol detection and parser disabled for modbus protocol. 18/11/2019 -- 08:43:27 - - Registering DNP3/tcp parsers. 18/11/2019 -- 08:43:27 - - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 18/11/2019 -- 08:43:27 - - preallocated 1000 hosts of size 136 18/11/2019 -- 08:43:27 - - host memory usage: 398144 bytes, maximum: 67108864 18/11/2019 -- 08:43:27 - - Core dump size set to unlimited. 18/11/2019 -- 08:43:27 - - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 18/11/2019 -- 08:43:27 - - preallocated 65535 defrag trackers of size 160 18/11/2019 -- 08:43:27 - - defrag memory usage: 14155616 bytes, maximum: 536870912 18/11/2019 -- 08:43:27 - - stream "prealloc-sessions": 10000 (per thread) 18/11/2019 -- 08:43:27 - - stream "memcap": 12884901888 18/11/2019 -- 08:43:27 - - stream "midstream" session pickups: enabled 18/11/2019 -- 08:43:27 - - stream "async-oneside": disabled 18/11/2019 -- 08:43:27 - - stream "checksum-validation": enabled 18/11/2019 -- 08:43:27 - - stream."inline": disabled 18/11/2019 -- 08:43:27 - - stream "bypass": enabled 18/11/2019 -- 08:43:27 - - stream "max-synack-queued": 5 18/11/2019 -- 08:43:27 - - stream.reassembly "memcap": 34359738368 18/11/2019 -- 08:43:27 - - stream.reassembly "depth": 2097152 18/11/2019 -- 08:43:27 - - stream.reassembly "toserver-chunk-size": 2502 18/11/2019 -- 08:43:27 - - stream.reassembly "toclient-chunk-size": 2633 18/11/2019 -- 08:43:27 - - stream.reassembly.raw: enabled 18/11/2019 -- 08:43:27 - - stream.reassembly "segment-prealloc": 200000 18/11/2019 -- 08:43:27 - - dropped the caps for main thread 18/11/2019 -- 08:43:27 - - fast output device (regular) initialized: fast.log 18/11/2019 -- 08:43:27 - - eve-log output device (regular) initialized: stats.eve.json 18/11/2019 -- 08:43:27 - - enabling 'eve-log' module 'stats' 18/11/2019 -- 08:43:27 - - eve-log output device (regular) initialized: alerts.eve.json 18/11/2019 -- 08:43:27 - - Enabling eve community_id logging. 18/11/2019 -- 08:43:27 - - enabling 'eve-log' module 'alert' 18/11/2019 -- 08:43:27 - - [ERRCODE: SC_WARN_DEPRECATED(203)] - Unified2 alert has been deprecated and will be removed by December 2019. 18/11/2019 -- 08:43:27 - - Unified2-alert initialized: filename suricata.alert, limit 32 MB 18/11/2019 -- 08:43:27 - - stats output device (regular) initialized: stats.log 18/11/2019 -- 08:43:27 - - Delayed detect disabled 18/11/2019 -- 08:43:27 - - pattern matchers: MPM: hs, SPM: hs 18/11/2019 -- 08:43:27 - - grouping: tcp-whitelist 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 18/11/2019 -- 08:43:27 - - grouping: udp-whitelist 53, 135, 5060 18/11/2019 -- 08:43:27 - - prefilter engines: MPM and keywords 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_uri 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_raw_uri 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_request_line 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_client_body 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_response_line 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_header 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_header 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_header_names 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_header_names 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_accept 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_accept_enc 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_accept_lang 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_referer 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_connection 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_content_len 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_content_len 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_content_type 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_content_type 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http.server 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http.location 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_protocol 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_protocol 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_start 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_start 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_raw_header 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_raw_header 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_method 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_cookie 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_cookie 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.name 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file.magic 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_user_agent 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_host 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_raw_host 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_stat_msg 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for http_stat_code 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for dns_query 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for dnp3_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for dnp3_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tls.sni 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tls.cert_issuer 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tls.cert_subject 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tls.cert_serial 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tls.cert_fingerprint 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tls.certs 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ja3.hash 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ja3.string 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ja3s.hash 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ja3s.string 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for dce_stub_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for dce_stub_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for dce_stub_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for dce_stub_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for smb_named_pipe 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for smb_share 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ssh.proto 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ssh.proto 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ssh_software 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ssh_software 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for file_data 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for krb5_cname 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for krb5_sname 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.method 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.uri 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.protocol 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.protocol 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.method 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.stat_msg 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.request_line 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for sip.response_line 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for snmp.community 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for snmp.community 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tcp.hdr 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for udp.hdr 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ipv4.hdr 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for ipv6.hdr 18/11/2019 -- 08:43:27 - - IP reputation disabled 18/11/2019 -- 08:43:27 - - Loading rule file: /etc/suricata/rules/global.rules 18/11/2019 -- 08:43:27 - - Rule with ID 1511215 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511216 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511217 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511218 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511219 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511220 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511221 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511222 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511223 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511224 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511225 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511230 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - Rule with ID 1511251 is bidirectional, but source and destination are the same, treating the rule as unidirectional 18/11/2019 -- 08:43:27 - - 1 rule files processed. 2617 rules successfully loaded, 0 rules failed 18/11/2019 -- 08:43:27 - - Threshold config parsed: 1 rule(s) found 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tcp-packet 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for tcp-stream 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for udp-packet 18/11/2019 -- 08:43:27 - - using unique mpm ctx' for other-ip 18/11/2019 -- 08:43:27 - - sid 2230011: prefilter is on "flow" 18/11/2019 -- 08:43:27 - - sid 2230012: prefilter is on "flow" 18/11/2019 -- 08:43:27 - - sid 2230013: prefilter is on "flow" 18/11/2019 -- 08:43:27 - - sid 2230014: prefilter is on "flow" 18/11/2019 -- 08:43:27 - - sid 1512436: prefilter is on "tcp.flags" 18/11/2019 -- 08:43:27 - - 2623 signatures processed. 0 are IP-only rules, 1505 are inspecting packet payload, 820 inspect application layer, 0 are decoder event only 18/11/2019 -- 08:43:27 - - building signature grouping structure, stage 1: preprocessing rules... complete 18/11/2019 -- 08:43:27 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MalformedTLSHB' is checked but not set. Checked in 2018373 and 0 other sigs 18/11/2019 -- 08:43:27 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'zxhandshake1&zxhandshake2' is checked but not set. Checked in 1511918 and 0 other sigs 18/11/2019 -- 08:43:27 - - TCP toserver: 76 port groups, 18 unique SGH's, 58 copies 18/11/2019 -- 08:43:27 - - TCP toclient: 76 port groups, 11 unique SGH's, 65 copies 18/11/2019 -- 08:43:27 - - UDP toserver: 14 port groups, 7 unique SGH's, 7 copies 18/11/2019 -- 08:43:27 - - UDP toclient: 8 port groups, 4 unique SGH's, 4 copies 18/11/2019 -- 08:43:27 - - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies 18/11/2019 -- 08:43:27 - - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies 18/11/2019 -- 08:43:41 - - Unique rule groups: 40 18/11/2019 -- 08:43:41 - - Builtin MPM "toserver TCP packet": 11 18/11/2019 -- 08:43:41 - - Builtin MPM "toclient TCP packet": 9 18/11/2019 -- 08:43:41 - - Builtin MPM "toserver TCP stream": 14 18/11/2019 -- 08:43:41 - - Builtin MPM "toclient TCP stream": 11 18/11/2019 -- 08:43:41 - - Builtin MPM "toserver UDP packet": 7 18/11/2019 -- 08:43:41 - - Builtin MPM "toclient UDP packet": 4 18/11/2019 -- 08:43:41 - - Builtin MPM "other IP packet": 0 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_uri (http)": 6 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_raw_uri (http)": 1 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_client_body (http)": 2 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_header (http)": 7 18/11/2019 -- 08:43:41 - - AppLayer MPM "toclient http_header (http)": 7 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_accept_lang (http)": 1 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_raw_header (http)": 1 18/11/2019 -- 08:43:41 - - AppLayer MPM "toclient http_raw_header (http)": 1 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_cookie (http)": 3 18/11/2019 -- 08:43:41 - - AppLayer MPM "toclient http_cookie (http)": 3 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver http_user_agent (http)": 2 18/11/2019 -- 08:43:41 - - AppLayer MPM "toclient http_stat_code (http)": 1 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver file_data (smtp)": 6 18/11/2019 -- 08:43:41 - - AppLayer MPM "toclient file_data (http)": 6 18/11/2019 -- 08:43:41 - - AppLayer MPM "toserver file_data (smb)": 6 18/11/2019 -- 08:43:41 - - AppLayer MPM "toclient file_data (smb)": 6 18/11/2019 -- 08:43:41 - - Configuration provided was successfully loaded. Exiting. 18/11/2019 -- 08:43:41 - - host memory usage: 398144 bytes, maximum: 67108864 18/11/2019 -- 08:43:41 - - cleaning up signature grouping structure... complete 18/11/2019 -- 08:43:41 - - Stats for 'ens1f1': pkts: 0, drop: 0 (-nan%), invalid chksum: 0 18/11/2019 -- 08:43:41 - - Cleaning up Hyperscan global scratch 18/11/2019 -- 08:43:41 - - Clearing Hyperscan database cache