[Oisf-users] A few questions / issues about the last 2 0dev. version

[Peter Manev]

On Fri, Dec 6, 2013 at 11:09 AM, Stefan Sabolowitsch
<Stefan.Sabolowitsch at felten-group.com> wrote:
> Peter
>
> missing fastlog file information here:
>
> 21530] 6/12/2013 -- 09:50:15 - (detect.c:3836) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... com
> [21530] 6/12/2013 -- 09:50:18 - (util-threshold-config.c:1186) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 20 rule(s) found
> [21530] 6/12/2013 -- 09:50:18 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
> [21530] 6/12/2013 -- 09:50:18 - (util-privs.c:101) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
> [21530] 6/12/2013 -- 09:50:18 - (alert-unified2-alert.c:1425) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename snort.unified2, limit 32 MB
> [21530] 6/12/2013 -- 09:50:18 - (alert-syslog.c:170) <Info> (AlertSyslogInitCtx) -- Syslog output initialized
> [21530] 6/12/2013 -- 09:50:18 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- drop output device (regular) initialized: drop.log
> [21734] 6/12/2013 -- 09:50:18 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 0 to queue ‚0‘
>
> and fast log file will not generated:
>
> [root at ipd1 Serrig-intern]# ls *log
> drop.log
>
> with this config (only drop log is also aktive):
>
> # Configure the type of alert (and other) logging you would like.
> outputs:
>
>   # a line based alerts log similar to Snort's fast.log
>   - fast:
>     enabled: yes
>     filename: fast.log
>     append: no
>     #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
>
>
> There's something very strange.
> With this configuration, only very few signatures are recognized.
> Something is wrong here.
>


Could it be a suricata.yaml parsing/language issue ?(tabs and such)



-- 
Regards,
Peter Manev