[Oisf-users] fast.log empty

Peter Manev petermanev at gmail.com
Fri Jan 25 08:45:50 UTC 2013 

Hi Jutaro,

I would suggest:
first update your suricata.yaml to the newest one distributed.
second if you use
alert http any any -> any any (msg:"alert on all http"; sid:1111111111;)
would you see alerts in the fast.log ?


Then

> 25/1/2013 -- 12:11:26 - <Info> - Using 1 live device(s).
> 25/1/2013 -- 12:11:26 - <Info> - Unable to find pcap config for interface
> venet0, using default value
> 25/1/2013 -- 12:11:26 - <Info> - using interface venet0
>

what is the config lines :

pcap:

    - interface: eth0

      #buffer-size: 32768


saying in your yaml config ?

thank you


On Fri, Jan 25, 2013 at 4:33 AM, Jutaro Kajita <j.kajita at espeid.jp> wrote:

> Hi, to all.
>
> I recently build Suricata 1.4 from source using CentOS5.9.
> and as in the tutorial, Adding Your Rules, I added local.rules
> but after several opening pages in the server still fast.log contains
> zero line.
>
> here are parts of my .yaml file I assume related to the issue.
>
>  - fast:
>       enabled: yes
>       filename: fast.log
>       append: yes
>       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
>
>   # alert output for use with Barnyard2
>   - unified2-alert:
>       enabled: no
>       filename: unified2.alert
>
>       # File size limit.  Can be specified in kb, mb, gb.  Just a number
>       # is parsed as bytes.
>       #limit: 32mb
>
>   # a line based log of HTTP requests (no alerts)
>   - http-log:
>       enabled: yes
>       filename: http.log
>       append: yes
>       #extended: yes     # enable this for extended logging information
>       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
> #######################################################
>
> and here's the output in the Suricata initiation
>
> 25/1/2013 -- 12:11:20 - <Info> - CPUs/cores online: 1
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> max_files is deprecated. Please use max-files on line 108.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> use_stream_depth is deprecated. Please use use-stream-depth on line 113.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> log_packet_content is deprecated. Please use log-packet-content on line 128.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> log_packet_header is deprecated. Please use log-packet-header on line 129.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> toclient_src_groups is deprecated. Please use toclient-src-groups on line
> 278.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> toclient_dst_groups is deprecated. Please use toclient-dst-groups on line
> 279.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> toclient_sp_groups is deprecated. Please use toclient-sp-groups on line 280.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> toclient_dp_groups is deprecated. Please use toclient-dp-groups on line 281.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> toserver_src_groups is deprecated. Please use toserver-src-groups on line
> 282.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> toserver_dst_groups is deprecated. Please use toserver-dst-groups on line
> 283.
> 25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] -
> not showing more parameter name warnings.
> 25/1/2013 -- 12:11:20 - <Info> - Found an MTU of 1500 for 'venet0'
> 25/1/2013 -- 12:11:20 - <Info> - allocated 229376 bytes of memory for the
> defrag hash... 4096 buckets of size 56
> 25/1/2013 -- 12:11:20 - <Info> - preallocated 1000 defrag trackers of size
> 152
> 25/1/2013 -- 12:11:20 - <Info> - defrag memory usage: 381376 bytes,
> maximum: 16777216
> 25/1/2013 -- 12:11:20 - <Info> - AutoFP mode using default "Active
> Packets" flow load balancer
> 25/1/2013 -- 12:11:20 - <Info> - preallocated 5000 packets. Total memory
> 21300000
> 25/1/2013 -- 12:11:20 - <Info> - allocated 229376 bytes of memory for the
> host hash... 4096 buckets of size 56
> 25/1/2013 -- 12:11:20 - <Info> - preallocated 1000 hosts of size 128
> 25/1/2013 -- 12:11:20 - <Info> - host memory usage: 357376 bytes, maximum:
> 16777216
> 25/1/2013 -- 12:11:20 - <Info> - allocated 3670016 bytes of memory for the
> flow hash... 65536 buckets of size 56
> 25/1/2013 -- 12:11:20 - <Info> - preallocated 10000 flows of size 280
> 25/1/2013 -- 12:11:20 - <Info> - flow memory usage: 6470016 bytes,
> maximum: 33554432
> 25/1/2013 -- 12:11:20 - <Info> - IP reputation disabled
> 25/1/2013 -- 12:11:20 - <Info> - Delayed detect disabled
> 25/1/2013 -- 12:11:22 - <Info> - 36 rule files processed. 6224 rules
> successfully loaded, 0 rules failed
> 25/1/2013 -- 12:11:24 - <Info> - 6232 signatures processed. 226 are
> IP-only rules, 2933 are inspecting packet payload, 3991 inspect application
> layer, 0 are decoder event only
> 25/1/2013 -- 12:11:24 - <Info> - building signature grouping structure,
> stage 1: adding signatures to signature source addresses... complete
> 25/1/2013 -- 12:11:24 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 25/1/2013 -- 12:11:25 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> 25/1/2013 -- 12:11:26 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error
> opening file: "/etc/suricata//threshold.config": No such file or directory
> 25/1/2013 -- 12:11:26 - <Info> - Core dump size set to unlimited.
> 25/1/2013 -- 12:11:26 - <Info> - fast output device (regular) initialized:
> fast.log
> 25/1/2013 -- 12:11:26 - <Info> - http-log output device (regular)
> initialized: http.log
> 25/1/2013 -- 12:11:26 - <Info> - Using 1 live device(s).
> 25/1/2013 -- 12:11:26 - <Info> - Unable to find pcap config for interface
> venet0, using default value
> 25/1/2013 -- 12:11:26 - <Info> - using interface venet0
> 25/1/2013 -- 12:11:26 - <Info> - RunModeIdsPcapAutoFp initialised
> 25/1/2013 -- 12:11:26 - <Info> - stream "max-sessions": 262144
> 25/1/2013 -- 12:11:26 - <Info> - stream "prealloc-sessions": 32768
> 25/1/2013 -- 12:11:26 - <Info> - stream "memcap": 33554432
> 25/1/2013 -- 12:11:26 - <Info> - stream "midstream" session pickups:
> disabled
> 25/1/2013 -- 12:11:26 - <Info> - stream "async-oneside": disabled
> 25/1/2013 -- 12:11:26 - <Info> - stream "checksum-validation": enabled
> 25/1/2013 -- 12:11:26 - <Info> - stream."inline": disabled
> 25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "memcap": 67108864
> 25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "depth": 1048576
> 25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "toserver-chunk-size":
> 2560
> 25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "toclient-chunk-size":
> 2560
> 25/1/2013 -- 12:11:26 - <Info> - all 2 packet processing threads, 1
> management threads initialized, engine started.
>
>
> #########################################
> while fast.log is empty, http.log is working well with outputting proper
> logs.
> So, I assume there would be no issue in file privileges.
>
> any help appreciated.
> thanks in advance.
> Jutaro
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130125/5390611f/attachment-0002.html>

More information about the Oisf-users mailing list