[Oisf-users] A few questions / issues about the last 2 0dev. version

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Fri Dec 6 10:09:49 UTC 2013 

Peter

missing fastlog file information here:

21530] 6/12/2013 -- 09:50:15 - (detect.c:3836) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... com
[21530] 6/12/2013 -- 09:50:18 - (util-threshold-config.c:1186) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 20 rule(s) found
[21530] 6/12/2013 -- 09:50:18 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[21530] 6/12/2013 -- 09:50:18 - (util-privs.c:101) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[21530] 6/12/2013 -- 09:50:18 - (alert-unified2-alert.c:1425) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename snort.unified2, limit 32 MB
[21530] 6/12/2013 -- 09:50:18 - (alert-syslog.c:170) <Info> (AlertSyslogInitCtx) -- Syslog output initialized
[21530] 6/12/2013 -- 09:50:18 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- drop output device (regular) initialized: drop.log
[21734] 6/12/2013 -- 09:50:18 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 0 to queue ‚0‘

and fast log file will not generated:

[root at ipd1 Serrig-intern]# ls *log
drop.log

with this config (only drop log is also aktive):

# Configure the type of alert (and other) logging you would like.
outputs:

  # a line based alerts log similar to Snort's fast.log
  - fast:
    enabled: yes
    filename: fast.log
    append: no
    #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'


There's something very strange.
With this configuration, only very few signatures are recognized.
Something is wrong here.

Stefan

Am 06.12.2013 um 07:14 schrieb Peter Manev <petermanev at gmail.com>:

> On Thu, Dec 5, 2013 at 2:46 PM, Stefan Sabolowitsch
> <Stefan.Sabolowitsch at felten-group.com> wrote:
>> Sorry the first (noise) E-Mail i was a little too fast, here my questions:
>> 
>> If i enable dns, http and files-json logfile, a fast.log will never generated (OK ?).
> 
> I just run the same setup (enable dns, http and files-json logfile,
> fast.log)  the latest git - 2.0dev (rev eaff01a)
> and there is no problem - all logfiles populate with data.
> 
>> 
>> I checked the files-json logfile and would like to suggest the following.
>> Wouldn't it be better to use these field names
>> 
>> src_ip, dst_ip, src_port, dst_port (instead srcip etc.)
>> 
>> A lot of logger collectors use this naming (logstash, slpunk etc.) .
> 
> Suricata 2.0 is planned with all JSON output capability which would
> enable easy and default parsing from tools like Logstash.
> You could get some ideas from here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output
> https://home.regit.org/2013/10/logstash-and-suricata-for-the-old-guys/
> 
> thanks
> 
>> 
>> thx
>> Stefan
>> 
> 
> 
> -- 
> Regards,
> Peter Manev
>

More information about the Oisf-users mailing list