[Oisf-users] IPv4 invalid checksum alerts

Steven McIntosh Steven.McIntosh at glasgow.ac.uk
Wed Jun 12 14:37:59 UTC 2013


Hi,

We are seeing large amounts of what looks like reassembled fragments triggering the "IPv4 invalid checksum" alert.  It looks like Suricata is validating the IPv4 header checksum for reassembled fragments, but is using the checksum from the first fragment.

We are new to Suricata and so this may be a misconfiguration on our part.  I have included information on our setup.  We replicated the issue by using Hping to generate fragmented packets of the kind we were seeing and capturing them via TCPDUMP and the PCAP logging feature of Suricata then comparing the two.  Examples of the results are included below.  We are seeing this when using the AF_PACKET capture run mode, the issue doesn't seem to be present in the PCAP run mode.  All network card offloading has been turned off.  Turning the network card checksum offload on has no effect.

Is this a bug or config error ?

Cheers,
Steve

INSTALL details

[root at pinky suricata]# /usr/bin/suricata --build-info
This is Suricata version 1.4.2 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK

HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT
64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with libhtp 0.2.13, linked against 0.2.13
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     no

  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      no
  Prelude support:                         no
  PCRE jit:                                yes
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no


OFFLOAD settings

[root at pinky suricata]# ethtool --show-offload eth2
Offload parameters for eth2:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off
ntuple-filters: off
receive-hashing: off


HPING created packets

[root at certserv ~]# hping2 xxxxxxx.org --udp --data 4000 --destport 53
HPING xxxxxxx.org (eth0 80.x.x.x): udp mode set, 28 headers + 4000 data bytes


FAST log alerts examples

06/12/2013-10:16:34.879035  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5447 -> 80.x.x.x:53
06/12/2013-10:16:35.883130  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5448 -> 80.x.x.x:53
06/12/2013-10:16:36.887177  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5449 -> 80.x.x.x:53
06/12/2013-10:16:37.891311  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5450 -> 80.x.x.x:53
06/12/2013-10:16:38.895319  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5451 -> 80.x.x.x:53
06/12/2013-10:16:39.900006  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5452 -> 80.x.x.x:53
06/12/2013-10:16:40.903377  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5453 -> 80.x.x.x:53
06/12/2013-10:16:41.907405  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5454 -> 80.x.x.x:53
06/12/2013-10:16:42.912301  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5455 -> 80.x.x.x:53
06/12/2013-10:16:43.915401  [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5456 -> 80.x.x.x:53


TCPDUMP of packets

No.     Time                       Source                Destination           Protocol Length Info
      1 2013-06-12 09:16:42.912293 130.x.x.x        80.x.x.x          IPv4     1150   Fragmented IP protocol

(proto=UDP 17, off=0, ID=0066) [Reassembled in #4]

Frame 1: 1150 bytes on wire (9200 bits), 1150 bytes captured (9200 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 1132
    Identification: 0x0066 (102)
    Flags: 0x01 (More Fragments)
    Fragment offset: 0
    Time to live: 63
    Protocol: UDP (17)
    Header checksum: 0x17e6 [correct]
    Source: 130.x.x.x (130.x.x.x)
    Destination: 80.x.x.x (80.x.x.x)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    Reassembled IPv4 in frame: 4
Data (1112 bytes)

0000  15 4f 00 35 0f a8 59 b2 58 58 58 58 58 58 58 58   .O.5..Y.XXXXXXXX
0010  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0020  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0030  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0040  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0050  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0060  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0070  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0080  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0090  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0100  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0110  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0120  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0130  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0140  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0150  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0160  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0170  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0180  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0190  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0200  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0210  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0220  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0230  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0240  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0250  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0260  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0270  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0280  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0290  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0300  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0310  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0320  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0330  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0340  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0350  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0360  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0370  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0380  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0390  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0400  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0410  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0420  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0430  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0440  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0450  58 58 58 58 58 58 58 58                           XXXXXXXX

No.     Time                       Source                Destination           Protocol Length Info
      2 2013-06-12 09:16:42.912298 130.x.x.x        80.x.x.x          IPv4     1198   Fragmented IP protocol

(proto=UDP 17, off=1112, ID=0066) [Reassembled in #4]

Frame 2: 1198 bytes on wire (9584 bits), 1198 bytes captured (9584 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 1180
    Identification: 0x0066 (102)
    Flags: 0x01 (More Fragments)
    Fragment offset: 1112
    Time to live: 63
    Protocol: UDP (17)
    Header checksum: 0x172b [correct]
    Source: 130.x.x.x (130.x.x.x)
    Destination: 80.x.x.x (80.x.x.x)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    Reassembled IPv4 in frame: 4
Data (1160 bytes)

0000  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0010  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0020  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0030  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0040  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0050  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0060  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0070  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0080  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0090  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0100  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0110  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0120  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0130  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0140  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0150  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0160  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0170  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0180  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0190  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0200  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0210  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0220  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0230  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0240  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0250  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0260  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0270  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0280  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0290  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0300  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0310  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0320  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0330  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0340  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0350  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0360  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0370  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0380  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0390  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0400  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0410  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0420  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0430  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0440  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0450  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0460  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0470  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0480  58 58 58 58 58 58 58 58                           XXXXXXXX

No.     Time                       Source                Destination           Protocol Length Info
      3 2013-06-12 09:16:42.912299 130.x.x.x        80.x.x.x          IPv4     1198   Fragmented IP protocol

(proto=UDP 17, off=2272, ID=0066) [Reassembled in #4]

Frame 3: 1198 bytes on wire (9584 bits), 1198 bytes captured (9584 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 1180
    Identification: 0x0066 (102)
    Flags: 0x01 (More Fragments)
    Fragment offset: 2272
    Time to live: 63
    Protocol: UDP (17)
    Header checksum: 0x169a [correct]
    Source: 130.x.x.x (130.x.x.x)
    Destination: 80.x.x.x (80.x.x.x)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    Reassembled IPv4 in frame: 4
Data (1160 bytes)

0000  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0010  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0020  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0030  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0040  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0050  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0060  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0070  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0080  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0090  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
00f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0100  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0110  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0120  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0130  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0140  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0150  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0160  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0170  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0180  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0190  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
01f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0200  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0210  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0220  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0230  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0240  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0250  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0260  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0270  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0280  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0290  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
02f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0300  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0310  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0320  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0330  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0340  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0350  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0360  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0370  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0380  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0390  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03a0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03b0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03c0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03d0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03e0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
03f0  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0400  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0410  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0420  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0430  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0440  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0450  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0460  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0470  58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
0480  58 58 58 58 58 58 58 58                           XXXXXXXX

No.     Time                       Source                Destination           Protocol Length Info
      4 2013-06-12 09:16:42.912301 130.x.x.x        80.x.x.x          DNS      614    Unknown operation (11) 0x5858

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unkno

Frame 4: 614 bytes on wire (4912 bits), 614 bytes captured (4912 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 596
    Identification: 0x0066 (102)
    Flags: 0x00
    Fragment offset: 3432
    Time to live: 63
    Protocol: UDP (17)
    Header checksum: 0x3851 [correct]
    Source: 130.x.x.x (130.x.x.x)
    Destination: 80.x.x.x (80.x.x.x)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    [4 IPv4 Fragments (4008 bytes): #1(1112), #2(1160), #3(1160), #4(576)]
        [Frame: 1, payload: 0-1111 (1112 bytes)]
        [Frame: 2, payload: 1112-2271 (1160 bytes)]
        [Frame: 3, payload: 2272-3431 (1160 bytes)]
        [Frame: 4, payload: 3432-4007 (576 bytes)]
        [Fragment count: 4]
        [Reassembled IPv4 length: 4008]
        [Reassembled IPv4 data: 154f00350fa859b258585858585858585858585858585858...]
User Datagram Protocol, Src Port: apc-5455 (5455), Dst Port: domain (53)
Domain Name System (query)
[Malformed Packet: DNS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]


SURICATA PCAP log

No.     Time                       Source                Destination           Protocol Length Info
 280679 2013-06-12 09:16:42.912301 130.x.x.x        80.x.x.x          DNS      4042   Unknown operation (11) 0x5858

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>

Unkno

Frame 280679: 4042 bytes on wire (32336 bits), 4042 bytes captured (32336 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 4028
    Identification: 0x0066 (102)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 63
    Protocol: UDP (17)
    Header checksum: 0x17e6 [incorrect, should be 0x2c96 (may be caused by "IP checksum offload"?)]
    Source: 130.x.x.x (130.x.x.x)
    Destination: 80.x.x.x (80.x.x.x)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: apc-5455 (5455), Dst Port: domain (53)
Domain Name System (query)
[Malformed Packet: DNS]


SURICATA run command and config

[root at pinky suricata]# /usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=eth2

[root at pinky suricata]# /usr/bin/suricata --dump-config
12/6/2013 -- 13:37:11 - <Info> - This is Suricata version 1.4.2 RELEASE
12/6/2013 -- 13:37:11 - <Info> - CPUs/cores online: 12
max-pending-packets = 1024
default-log-dir = /spare/suricata/
unix-command = (null)
unix-command.enabled = no
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = unified2-alert
outputs.1.unified2-alert = (null)
outputs.1.unified2-alert.enabled = yes
outputs.1.unified2-alert.filename = unified2.alert
outputs.1.unified2-alert.limit = 1gb
outputs.2 = http-log
outputs.2.http-log = (null)
outputs.2.http-log.enabled = no
outputs.2.http-log.filename = http.log
outputs.2.http-log.append = yes
outputs.3 = tls-log
outputs.3.tls-log = (null)
outputs.3.tls-log.enabled = no
outputs.3.tls-log.filename = tls.log
outputs.3.tls-log.certs-log-dir = certs
outputs.4 = pcap-info
outputs.4.pcap-info = (null)
outputs.4.pcap-info.enabled = no
outputs.5 = pcap-log
outputs.5.pcap-log = (null)
outputs.5.pcap-log.enabled = yes
outputs.5.pcap-log.filename = log.pcap
outputs.5.pcap-log.limit = 1000mb
outputs.5.pcap-log.max-files = 2000
outputs.5.pcap-log.mode = normal
outputs.5.pcap-log.use-stream-depth = no
outputs.6 = alert-debug
outputs.6.alert-debug = (null)
outputs.6.alert-debug.enabled = no
outputs.6.alert-debug.filename = alert-debug.log
outputs.6.alert-debug.append = yes
outputs.7 = alert-prelude
outputs.7.alert-prelude = (null)
outputs.7.alert-prelude.enabled = no
outputs.7.alert-prelude.profile = suricata
outputs.7.alert-prelude.log-packet-content = no
outputs.7.alert-prelude.log-packet-header = yes
outputs.8 = stats
outputs.8.stats = (null)
outputs.8.stats.enabled = yes
outputs.8.stats.filename = stats.log
outputs.8.stats.interval = 8
outputs.9 = syslog
outputs.9.syslog = (null)
outputs.9.syslog.enabled = no
outputs.9.syslog.facility = local5
outputs.10 = drop
outputs.10.drop = (null)
outputs.10.drop.enabled = no
outputs.10.drop.filename = drop.log
outputs.10.drop.append = yes
outputs.11 = file-store
outputs.11.file-store = (null)
outputs.11.file-store.enabled = no
outputs.11.file-store.log-dir = files
outputs.11.file-store.force-magic = no
outputs.11.file-store.force-md5 = no
outputs.12 = file-log
outputs.12.file-log = (null)
outputs.12.file-log.enabled = no
outputs.12.file-log.filename = files-json.log
outputs.12.file-log.append = yes
outputs.12.file-log.force-magic = no
outputs.12.file-log.force-md5 = no
nfq =
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth0
af-packet.0.threads = 1
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.0.use-mmap = yes
af-packet.1 = interface
af-packet.1.interface = eth1
af-packet.1.threads = 4
af-packet.1.cluster-id = 99
af-packet.1.cluster-type = cluster_flow
af-packet.1.defrag = yes
af-packet.1.use-mmap = yes
af-packet.1.ring-size = 30000
af-packet.2 = interface
af-packet.2.interface = eth2
af-packet.2.threads = 4
af-packet.2.cluster-id = 98
af-packet.2.cluster-type = cluster_flow
af-packet.2.defrag = yes
af-packet.2.use-mmap = yes
af-packet.2.ring-size = 30000
af-packet.3 = interface
af-packet.3.interface = default
detect-engine = (null)
detect-engine.0 = profile
detect-engine.0.profile = medium
detect-engine.1 = custom-values
detect-engine.1.custom-values = (null)
detect-engine.1.custom-values.toclient-src-groups = 2
detect-engine.1.custom-values.toclient-dst-groups = 2
detect-engine.1.custom-values.toclient-sp-groups = 2
detect-engine.1.custom-values.toclient-dp-groups = 3
detect-engine.1.custom-values.toserver-src-groups = 2
detect-engine.1.custom-values.toserver-dst-groups = 4
detect-engine.1.custom-values.toserver-sp-groups = 2
detect-engine.1.custom-values.toserver-dp-groups = 25
detect-engine.2 = sgh-mpm-context
detect-engine.2.sgh-mpm-context = auto
detect-engine.3 = inspection-recursion-limit
detect-engine.3.inspection-recursion-limit = 3000
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = decode-cpu-set
threading.cpu-affinity.2.decode-cpu-set = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu.0 = 0
threading.cpu-affinity.2.decode-cpu-set.cpu.1 = 1
threading.cpu-affinity.2.decode-cpu-set.mode = balanced
threading.cpu-affinity.3 = stream-cpu-set
threading.cpu-affinity.3.stream-cpu-set = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu.0 = 0-1
threading.cpu-affinity.4 = detect-cpu-set
threading.cpu-affinity.4.detect-cpu-set = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu.0 = all
threading.cpu-affinity.4.detect-cpu-set.mode = exclusive
threading.cpu-affinity.4.detect-cpu-set.prio = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low.0 = 0
threading.cpu-affinity.4.detect-cpu-set.prio.medium = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.4.detect-cpu-set.prio.high = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.high.0 = 3
threading.cpu-affinity.4.detect-cpu-set.prio.default = medium
threading.cpu-affinity.5 = verdict-cpu-set
threading.cpu-affinity.5.verdict-cpu-set = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu.0 = 0
threading.cpu-affinity.5.verdict-cpu-set.prio = (null)
threading.cpu-affinity.5.verdict-cpu-set.prio.default = high
threading.cpu-affinity.6 = reject-cpu-set
threading.cpu-affinity.6.reject-cpu-set = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu.0 = 0
threading.cpu-affinity.6.reject-cpu-set.prio = (null)
threading.cpu-affinity.6.reject-cpu-set.prio.default = low
threading.cpu-affinity.7 = output-cpu-set
threading.cpu-affinity.7.output-cpu-set = (null)
threading.cpu-affinity.7.output-cpu-set.cpu = (null)
threading.cpu-affinity.7.output-cpu-set.cpu.0 = all
threading.cpu-affinity.7.output-cpu-set.prio = (null)
threading.cpu-affinity.7.output-cpu-set.prio.default = medium
threading.detect-thread-ratio = 1.5
cuda = (null)
cuda.0 = mpm
cuda.0.mpm = (null)
cuda.0.mpm.packet-buffer-limit = 2400
cuda.0.mpm.packet-size-limit = 1500
cuda.0.mpm.packet-buffers = 10
cuda.0.mpm.batching-timeout = 1
cuda.0.mpm.page-locked = enabled
cuda.0.mpm.device-id = 0
cuda.0.mpm.cuda-streams = 2
mpm-algo = ac
pattern-matcher = (null)
pattern-matcher.0 = b2gc
pattern-matcher.0.b2gc = (null)
pattern-matcher.0.b2gc.search-algo = B2gSearchBNDMq
pattern-matcher.0.b2gc.hash-size = low
pattern-matcher.0.b2gc.bf-size = medium
pattern-matcher.1 = b2gm
pattern-matcher.1.b2gm = (null)
pattern-matcher.1.b2gm.search-algo = B2gSearchBNDMq
pattern-matcher.1.b2gm.hash-size = low
pattern-matcher.1.b2gm.bf-size = medium
pattern-matcher.2 = b2g
pattern-matcher.2.b2g = (null)
pattern-matcher.2.b2g.search-algo = B2gSearchBNDMq
pattern-matcher.2.b2g.hash-size = low
pattern-matcher.2.b2g.bf-size = medium
pattern-matcher.3 = b3g
pattern-matcher.3.b3g = (null)
pattern-matcher.3.b3g.search-algo = B3gSearchBNDMq
pattern-matcher.3.b3g.hash-size = low
pattern-matcher.3.b3g.bf-size = medium
pattern-matcher.4 = wumanber
pattern-matcher.4.wumanber = (null)
pattern-matcher.4.wumanber.hash-size = low
pattern-matcher.4.wumanber.bf-size = medium
defrag = (null)
defrag.memcap = 512mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 10gb
flow.hash-size = 65536
flow.prealloc = 100000
flow.emergency-recovery = 30
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 5
flow-timeouts.default.established = 10
flow-timeouts.default.closed = 0
flow-timeouts.default.emergency-new = 1
flow-timeouts.default.emergency-established = 2
flow-timeouts.default.emergency-closed = 0
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 5
flow-timeouts.tcp.established = 300
flow-timeouts.tcp.closed = 10
flow-timeouts.tcp.emergency-new = 1
flow-timeouts.tcp.emergency-established = 5
flow-timeouts.tcp.emergency-closed = 20
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 5
flow-timeouts.udp.established = 5
flow-timeouts.udp.emergency-new = 5
flow-timeouts.udp.emergency-established = 5
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 5
flow-timeouts.icmp.established = 5
flow-timeouts.icmp.emergency-new = 5
flow-timeouts.icmp.emergency-established = 5
stream = (null)
stream.memcap = 10gb
stream.checksum-validation = yes
stream.inline = no
stream.midstream = false
stream.max-sessions = 20000000
stream.prealloc-sessions = 1000000
stream.reassembly = (null)
stream.reassembly.memcap = 10gb
stream.reassembly.depth = 16mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 16777216
logging = (null)
logging.default-log-level = info
logging.default-output-filter =
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = yes
logging.outputs.1.file.filename = /var/log/suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> --
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = 1
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = default
pcap = (null)
pcap.0 = interface
pcap.0.interface = eth0
pcap.1 = interface
pcap.1.interface = default
pcap.1.buffer-size = 111111111
ipfw =
default-rule-path = /etc/suricata/rules
rule-files = (null)
rule-files.0 = decoder-events.rules
classification-file = /etc/suricata/classification.config
reference-config-file = /etc/suricata/reference.config
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [130.209.0.0/16,194.80.44.0/23,194.36.1.0/24]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = [80,2301,3128,8000,8080,8180,8888]
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
action-order = (null)
action-order.0 = pass
action-order.1 = drop
action-order.2 = reject
action-order.3 = alert
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.linux.0 = 10.0.0.0/8
host-os-policy.linux.1 = 192.168.1.100
host-os-policy.linux.2 = 8762:2352:6241:7245:E000:0000:0000:0000
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.solaris.0 = ::1
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
asn1-max-frames = 256
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
libhtp = (null)
libhtp.default-config = (null)
libhtp.default-config.personality = IDS
libhtp.default-config.request-body-limit = 3072
libhtp.default-config.response-body-limit = 3072
libhtp.default-config.request-body-minimal-inspect-size = 32kb
libhtp.default-config.request-body-inspect-window = 4kb
libhtp.default-config.response-body-minimal-inspect-size = 32kb
libhtp.default-config.response-body-inspect-window = 4kb
libhtp.default-config.double-decode-path = no
libhtp.default-config.double-decode-query = no
libhtp.server-config = (null)
libhtp.server-config.0 = apache
libhtp.server-config.0.apache = (null)
libhtp.server-config.0.apache.address = (null)
libhtp.server-config.0.apache.address.0 = 192.168.1.0/24
libhtp.server-config.0.apache.address.1 = 127.0.0.0/8
libhtp.server-config.0.apache.address.2 = ::1
libhtp.server-config.0.apache.personality = Apache_2_2
libhtp.server-config.0.apache.request-body-limit = 4096
libhtp.server-config.0.apache.response-body-limit = 4096
libhtp.server-config.0.apache.double-decode-path = no
libhtp.server-config.0.apache.double-decode-query = no
libhtp.server-config.1 = iis7
libhtp.server-config.1.iis7 = (null)
libhtp.server-config.1.iis7.address = (null)
libhtp.server-config.1.iis7.address.0 = 192.168.0.0/24
libhtp.server-config.1.iis7.address.1 = 192.168.10.0/24
libhtp.server-config.1.iis7.personality = IIS_7_0
libhtp.server-config.1.iis7.request-body-limit = 4096
libhtp.server-config.1.iis7.response-body-limit = 4096
libhtp.server-config.1.iis7.double-decode-path = no
libhtp.server-config.1.iis7.double-decode-query = no
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.sort = avgticks
profiling.rules.limit = 100
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = packet_stats.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = lock_stats.log
profiling.locks.append = yes
coredump = (null)
coredump.max-dump = unlimited
napatech = (null)
napatech.hba = -1
napatech.use-all-streams = yes
napatech.streams = (null)
napatech.streams.0 = 1
napatech.streams.1 = 2
napatech.streams.2 = 3

--
Steven McIntosh
IT Security, IT Services
University of Glasgow, charity number SC004401

http://www.gla.ac.uk/cert




More information about the Oisf-users mailing list