[Oisf-users] Empty http.log file

kay kay.diam at gmail.com
Tue Jul 10 10:08:46 EDT 2012


The statistic is empty:

Date: 7/10/2012 -- 18:01:11 (uptime: 0d, 00h 00m 33s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
decoder.pkts              | Recv-Q0                   | 0
decoder.bytes             | Recv-Q0                   | 0
decoder.ipv4              | Recv-Q0                   | 0
decoder.ipv6              | Recv-Q0                   | 0
decoder.ethernet          | Recv-Q0                   | 0
decoder.raw               | Recv-Q0                   | 0
decoder.sll               | Recv-Q0                   | 0
decoder.tcp               | Recv-Q0                   | 0
decoder.udp               | Recv-Q0                   | 0
decoder.sctp              | Recv-Q0                   | 0
decoder.icmpv4            | Recv-Q0                   | 0
decoder.icmpv6            | Recv-Q0                   | 0
decoder.ppp               | Recv-Q0                   | 0
decoder.pppoe             | Recv-Q0                   | 0
decoder.gre               | Recv-Q0                   | 0
decoder.vlan              | Recv-Q0                   | 0
decoder.avg_pkt_size      | Recv-Q0                   | 0
decoder.max_pkt_size      | Recv-Q0                   | 0
defrag.ipv4.fragments     | Recv-Q0                   | 0
defrag.ipv4.reassembled   | Recv-Q0                   | 0
defrag.ipv4.timeouts      | Recv-Q0                   | 0
defrag.ipv6.fragments     | Recv-Q0                   | 0
defrag.ipv6.reassembled   | Recv-Q0                   | 0
defrag.ipv6.timeouts      | Recv-Q0                   | 0
tcp.sessions              | Detect                    | 0
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 0
tcp.invalid_checksum      | Detect                    | 0
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 0
tcp.memuse                | Detect                    | 0
tcp.syn                   | Detect                    | 0
tcp.synack                | Detect                    | 0
tcp.rst                   | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.stream_depth_reached  | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
detect.alert              | Detect                    | 0
flow_mgr.closed_pruned    | FlowManagerThread         | 0
flow_mgr.new_pruned       | FlowManagerThread         | 0
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 6550016
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0


Here is suricata output:
10/7/2012 -- 18:02:30 - <Info> - This is Suricata version 1.3 RELEASE
10/7/2012 -- 18:02:30 - <Info> - CPUs/cores online: 1
10/7/2012 -- 18:02:30 - <Info> - NFQ running in REPEAT mode with mark 0/0
10/7/2012 -- 18:02:30 - <Info> - AutoFP mode using default "Active
Packets" flow load balancer
10/7/2012 -- 18:02:30 - <Info> - preallocated 1024 packets. Total memory 4327424
10/7/2012 -- 18:02:30 - <Info> - allocated 229376 bytes of memory for
the host hash... 4096 buckets of size 56
10/7/2012 -- 18:02:30 - <Info> - preallocated 1000 hosts of size 112
10/7/2012 -- 18:02:30 - <Info> - host memory usage: 341376 bytes,
maximum: 16777216
10/7/2012 -- 18:02:30 - <Info> - allocated 3670016 bytes of memory for
the flow hash... 65536 buckets of size 56
10/7/2012 -- 18:02:30 - <Info> - preallocated 10000 flows of size 288
10/7/2012 -- 18:02:30 - <Info> - flow memory usage: 6550016 bytes,
maximum: 33554432
10/7/2012 -- 18:02:30 - <Info> - Added "34" classification types from
the classification file
10/7/2012 -- 18:02:30 - <Info> - Added "19" reference types from the
reference.config file
10/7/2012 -- 18:02:30 - <Info> - using magic-file /usr/share/file/magic
10/7/2012 -- 18:02:30 - <Info> - 1 rule files processed. 8 rules
succesfully loaded, 0 rules failed
10/7/2012 -- 18:02:30 - <Info> - 8 signatures processed. 0 are IP-only
rules, 4 are inspecting packet payload, 3 inspect application layer, 0
are decoder event only
10/7/2012 -- 18:02:30 - <Info> - building signature grouping
structure, stage 1: adding signatures to signature source addresses...
complete
10/7/2012 -- 18:02:30 - <Info> - building signature grouping
structure, stage 2: building source address list... complete
10/7/2012 -- 18:02:30 - <Info> - building signature grouping
structure, stage 3: building destination address lists... complete
10/7/2012 -- 18:02:30 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] -
Error opening file: "/etc/suricata//threshold.config": No such file or
directory
10/7/2012 -- 18:02:30 - <Info> - Core dump size set to unlimited.
10/7/2012 -- 18:02:30 - <Info> - Unified2-alert initialized: filename
unified2.alert, limit 32 MB
10/7/2012 -- 18:02:30 - <Info> - drop output device (regular)
initialized: drop.log
10/7/2012 -- 18:02:30 - <Info> - stream "max-sessions": 262144
10/7/2012 -- 18:02:30 - <Info> - stream "prealloc-sessions": 32768
10/7/2012 -- 18:02:30 - <Info> - stream "memcap": 33554432
10/7/2012 -- 18:02:30 - <Info> - stream "midstream" session pickups: disabled
10/7/2012 -- 18:02:30 - <Info> - stream "async-oneside": disabled
10/7/2012 -- 18:02:30 - <Info> - stream "checksum-validation": enabled
10/7/2012 -- 18:02:30 - <Info> - stream."inline": enabled
10/7/2012 -- 18:02:30 - <Info> - stream.reassembly "memcap": 67108864
10/7/2012 -- 18:02:30 - <Info> - stream.reassembly "depth": 1048576
10/7/2012 -- 18:02:30 - <Info> - stream.reassembly "toserver-chunk-size": 2560
10/7/2012 -- 18:02:30 - <Info> - stream.reassembly "toclient-chunk-size": 2560
10/7/2012 -- 18:02:30 - <Info> - binding this thread 0 to queue '0'
10/7/2012 -- 18:02:30 - <Info> - setting queue length to 4096
10/7/2012 -- 18:02:30 - <Info> - setting nfnl bufsize to 6144000
10/7/2012 -- 18:02:30 - <Info> - all 3 packet processing threads, 3
management threads initialized, engine started.
10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata

Again, when I run NFQ accept mode, everything is ok. In repeat mode I
can not mark or alert packets.

2012/7/10 Victor Julien <victor at inliniac.net>:
> On 07/09/2012 04:23 PM, kay wrote:
>> Yes, it is.
>
> Can you share a record from your stats.log?
>
> A record like here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Statistics
>
> Cheers,
> Victor
>
>> 2012/7/9 Victor Julien <victor at inliniac.net>:
>>> On 07/09/2012 04:17 PM, kay wrote:
>>>> Does anyone have any clue why http.log empty when suricata runs in NFQ
>>>> "repeat" mode?
>>>
>>> Does it work properly if you're using the normal accept/drop nfq mode?
>>>
>>> Cheers,
>>> Victor
>>>
>>>> 2012/7/9 kay <kay.diam at gmail.com>:
>>>>> I'm quite not understand what you mean... I copy-pasted these rules
>>>>> from iptables-save:
>>>>> # Generated by iptables-save v1.4.7 on Mon Jul  9 15:48:00 2012
>>>>> *filter
>>>>> :INPUT ACCEPT [4264:1708762]
>>>>> :FORWARD ACCEPT [0:0]
>>>>> :OUTPUT ACCEPT [1949:515483]
>>>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>>>> --queue-num 0
>>>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>>>> --queue-num 0
>>>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>>>> COMMIT
>>>>> # Completed on Mon Jul  9 15:48:00 2012
>>>>>
>>>>> I run suricata in NFQ "repeat" mode with "-q 0" option.
>>>>>
>>>>> For some reason "accept" mode writes logs, but I need to use "mark"
>>>>> functionality. Actually I cannot reach even "mark packets"
>>>>> functionality in "repeat" mode too. That is why I created "--mark
>>>>> 0x1/0x1 -m tcp --dport 80 -j ACCEPT" firewall rules for iptables
>>>>> counter.
>>>>>
>>>>> Here is my rule:
>>>>>
>>>>> pass tcp any any -> any any (content: "TEST"; msg: "TEST string
>>>>> test!"; nfq_set_mark:0x01/0x01; sid:2455;)
>>>>>
>>>>> 2012/7/9 Victor Julien <victor at inliniac.net>:
>>>>>> On 07/09/2012 01:39 PM, kay wrote:
>>>>>>> Here are iptables rules:
>>>>>>>
>>>>>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>>>>>> --queue-num 0
>>>>>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>>>>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>>>>>> --queue-num 0
>>>>>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>>>>>
>>>>>> Are these in the (default) filter table?
>>>>>>
>>>>>> --
>>>>>> ---------------------------------------------
>>>>>> Victor Julien
>>>>>> http://www.inliniac.net/
>>>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>>>> ---------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Oisf-users mailing list
>>>>>> Oisf-users at openinfosecfoundation.org
>>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>>
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


More information about the Oisf-users mailing list