[Oisf-users] A few questions / issues about the last 2 0dev. version
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Fri Dec 6 10:09:49 UTC 2013
Peter
missing fastlog file information here:
21530] 6/12/2013 -- 09:50:15 - (detect.c:3836) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... com
[21530] 6/12/2013 -- 09:50:18 - (util-threshold-config.c:1186) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 20 rule(s) found
[21530] 6/12/2013 -- 09:50:18 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[21530] 6/12/2013 -- 09:50:18 - (util-privs.c:101) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[21530] 6/12/2013 -- 09:50:18 - (alert-unified2-alert.c:1425) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename snort.unified2, limit 32 MB
[21530] 6/12/2013 -- 09:50:18 - (alert-syslog.c:170) <Info> (AlertSyslogInitCtx) -- Syslog output initialized
[21530] 6/12/2013 -- 09:50:18 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- drop output device (regular) initialized: drop.log
[21734] 6/12/2013 -- 09:50:18 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 0 to queue ‚0‘
and fast log file will not generated:
[root at ipd1 Serrig-intern]# ls *log
drop.log
with this config (only drop log is also aktive):
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: no
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
There's something very strange.
With this configuration, only very few signatures are recognized.
Something is wrong here.
Stefan
Am 06.12.2013 um 07:14 schrieb Peter Manev <petermanev at gmail.com>:
> On Thu, Dec 5, 2013 at 2:46 PM, Stefan Sabolowitsch
> <Stefan.Sabolowitsch at felten-group.com> wrote:
>> Sorry the first (noise) E-Mail i was a little too fast, here my questions:
>>
>> If i enable dns, http and files-json logfile, a fast.log will never generated (OK ?).
>
> I just run the same setup (enable dns, http and files-json logfile,
> fast.log) the latest git - 2.0dev (rev eaff01a)
> and there is no problem - all logfiles populate with data.
>
>>
>> I checked the files-json logfile and would like to suggest the following.
>> Wouldn't it be better to use these field names
>>
>> src_ip, dst_ip, src_port, dst_port (instead srcip etc.)
>>
>> A lot of logger collectors use this naming (logstash, slpunk etc.) .
>
> Suricata 2.0 is planned with all JSON output capability which would
> enable easy and default parsing from tools like Logstash.
> You could get some ideas from here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output
> https://home.regit.org/2013/10/logstash-and-suricata-for-the-old-guys/
>
> thanks
>
>>
>> thx
>> Stefan
>>
>
>
> --
> Regards,
> Peter Manev
>
More information about the Oisf-users
mailing list