[Oisf-users] IPv4 invalid checksum alerts
Steven McIntosh
Steven.McIntosh at glasgow.ac.uk
Wed Jun 12 14:37:59 UTC 2013
Hi,
We are seeing large amounts of what looks like reassembled fragments triggering the "IPv4 invalid checksum" alert. It looks like Suricata is validating the IPv4 header checksum for reassembled fragments, but is using the checksum from the first fragment.
We are new to Suricata and so this may be a misconfiguration on our part. I have included information on our setup. We replicated the issue by using Hping to generate fragmented packets of the kind we were seeing and capturing them via TCPDUMP and the PCAP logging feature of Suricata then comparing the two. Examples of the results are included below. We are seeing this when using the AF_PACKET capture run mode, the issue doesn't seem to be present in the PCAP run mode. All network card offloading has been turned off. Turning the network card checksum offload on has no effect.
Is this a bug or config error ?
Cheers,
Steve
INSTALL details
[root at pinky suricata]# /usr/bin/suricata --build-info
This is Suricata version 1.4.2 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK
HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT
64-bits, Little-endian architecture
GCC version 4.6.3, C version 199901
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with libhtp 0.2.13, linked against 0.2.13
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
libnss support: no
libnspr support: no
libjansson support: no
Prelude support: no
PCRE jit: yes
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Generic build parameters:
Installation prefix (--prefix): /usr
Configuration directory (--sysconfdir): /etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
OFFLOAD settings
[root at pinky suricata]# ethtool --show-offload eth2
Offload parameters for eth2:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off
ntuple-filters: off
receive-hashing: off
HPING created packets
[root at certserv ~]# hping2 xxxxxxx.org --udp --data 4000 --destport 53
HPING xxxxxxx.org (eth0 80.x.x.x): udp mode set, 28 headers + 4000 data bytes
FAST log alerts examples
06/12/2013-10:16:34.879035 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5447 -> 80.x.x.x:53
06/12/2013-10:16:35.883130 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5448 -> 80.x.x.x:53
06/12/2013-10:16:36.887177 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5449 -> 80.x.x.x:53
06/12/2013-10:16:37.891311 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5450 -> 80.x.x.x:53
06/12/2013-10:16:38.895319 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5451 -> 80.x.x.x:53
06/12/2013-10:16:39.900006 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5452 -> 80.x.x.x:53
06/12/2013-10:16:40.903377 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5453 -> 80.x.x.x:53
06/12/2013-10:16:41.907405 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5454 -> 80.x.x.x:53
06/12/2013-10:16:42.912301 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5455 -> 80.x.x.x:53
06/12/2013-10:16:43.915401 [**] [1:2200073:1] SURICATA IPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {UDP} 130.x.x.x:5456 -> 80.x.x.x:53
TCPDUMP of packets
No. Time Source Destination Protocol Length Info
1 2013-06-12 09:16:42.912293 130.x.x.x 80.x.x.x IPv4 1150 Fragmented IP protocol
(proto=UDP 17, off=0, ID=0066) [Reassembled in #4]
Frame 1: 1150 bytes on wire (9200 bits), 1150 bytes captured (9200 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 1132
Identification: 0x0066 (102)
Flags: 0x01 (More Fragments)
Fragment offset: 0
Time to live: 63
Protocol: UDP (17)
Header checksum: 0x17e6 [correct]
Source: 130.x.x.x (130.x.x.x)
Destination: 80.x.x.x (80.x.x.x)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Reassembled IPv4 in frame: 4
Data (1112 bytes)
0000 15 4f 00 35 0f a8 59 b2 58 58 58 58 58 58 58 58 .O.5..Y.XXXXXXXX
0010 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0020 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0030 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0040 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0050 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0060 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0070 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0080 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0090 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0100 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0110 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0120 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0130 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0140 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0150 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0160 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0170 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0180 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0190 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0200 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0210 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0220 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0230 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0240 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0250 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0260 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0270 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0280 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0290 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0300 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0310 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0320 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0330 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0340 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0350 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0360 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0370 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0380 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0390 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0400 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0410 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0420 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0430 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0440 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0450 58 58 58 58 58 58 58 58 XXXXXXXX
No. Time Source Destination Protocol Length Info
2 2013-06-12 09:16:42.912298 130.x.x.x 80.x.x.x IPv4 1198 Fragmented IP protocol
(proto=UDP 17, off=1112, ID=0066) [Reassembled in #4]
Frame 2: 1198 bytes on wire (9584 bits), 1198 bytes captured (9584 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 1180
Identification: 0x0066 (102)
Flags: 0x01 (More Fragments)
Fragment offset: 1112
Time to live: 63
Protocol: UDP (17)
Header checksum: 0x172b [correct]
Source: 130.x.x.x (130.x.x.x)
Destination: 80.x.x.x (80.x.x.x)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Reassembled IPv4 in frame: 4
Data (1160 bytes)
0000 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0010 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0020 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0030 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0040 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0050 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0060 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0070 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0080 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0090 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0100 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0110 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0120 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0130 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0140 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0150 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0160 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0170 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0180 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0190 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0200 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0210 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0220 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0230 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0240 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0250 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0260 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0270 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0280 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0290 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0300 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0310 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0320 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0330 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0340 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0350 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0360 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0370 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0380 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0390 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0400 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0410 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0420 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0430 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0440 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0450 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0460 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0470 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0480 58 58 58 58 58 58 58 58 XXXXXXXX
No. Time Source Destination Protocol Length Info
3 2013-06-12 09:16:42.912299 130.x.x.x 80.x.x.x IPv4 1198 Fragmented IP protocol
(proto=UDP 17, off=2272, ID=0066) [Reassembled in #4]
Frame 3: 1198 bytes on wire (9584 bits), 1198 bytes captured (9584 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 1180
Identification: 0x0066 (102)
Flags: 0x01 (More Fragments)
Fragment offset: 2272
Time to live: 63
Protocol: UDP (17)
Header checksum: 0x169a [correct]
Source: 130.x.x.x (130.x.x.x)
Destination: 80.x.x.x (80.x.x.x)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Reassembled IPv4 in frame: 4
Data (1160 bytes)
0000 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0010 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0020 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0030 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0040 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0050 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0060 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0070 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0080 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0090 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
00f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0100 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0110 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0120 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0130 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0140 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0150 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0160 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0170 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0180 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0190 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
01f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0200 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0210 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0220 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0230 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0240 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0250 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0260 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0270 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0280 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0290 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
02f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0300 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0310 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0320 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0330 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0340 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0350 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0360 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0370 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0380 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0390 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03a0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03b0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03c0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03d0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03e0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
03f0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0400 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0410 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0420 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0430 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0440 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0450 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0460 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0470 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0480 58 58 58 58 58 58 58 58 XXXXXXXX
No. Time Source Destination Protocol Length Info
4 2013-06-12 09:16:42.912301 130.x.x.x 80.x.x.x DNS 614 Unknown operation (11) 0x5858
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unkno
Frame 4: 614 bytes on wire (4912 bits), 614 bytes captured (4912 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1001
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 596
Identification: 0x0066 (102)
Flags: 0x00
Fragment offset: 3432
Time to live: 63
Protocol: UDP (17)
Header checksum: 0x3851 [correct]
Source: 130.x.x.x (130.x.x.x)
Destination: 80.x.x.x (80.x.x.x)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
[4 IPv4 Fragments (4008 bytes): #1(1112), #2(1160), #3(1160), #4(576)]
[Frame: 1, payload: 0-1111 (1112 bytes)]
[Frame: 2, payload: 1112-2271 (1160 bytes)]
[Frame: 3, payload: 2272-3431 (1160 bytes)]
[Frame: 4, payload: 3432-4007 (576 bytes)]
[Fragment count: 4]
[Reassembled IPv4 length: 4008]
[Reassembled IPv4 data: 154f00350fa859b258585858585858585858585858585858...]
User Datagram Protocol, Src Port: apc-5455 (5455), Dst Port: domain (53)
Domain Name System (query)
[Malformed Packet: DNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
SURICATA PCAP log
No. Time Source Destination Protocol Length Info
280679 2013-06-12 09:16:42.912301 130.x.x.x 80.x.x.x DNS 4042 Unknown operation (11) 0x5858
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label> Unknown (22616) <Unknown extended label>
Unkno
Frame 280679: 4042 bytes on wire (32336 bits), 4042 bytes captured (32336 bits)
Ethernet II, Src: Cisco_AA:AA:AA (AA:AA:AA:AA:AA:AA), Dst: Cisco_BB:BB:BB (BB:BB:BB:BB:BB:BB)
Internet Protocol Version 4, Src: 130.x.x.x (130.x.x.x), Dst: 80.x.x.x (80.x.x.x)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 4028
Identification: 0x0066 (102)
Flags: 0x00
Fragment offset: 0
Time to live: 63
Protocol: UDP (17)
Header checksum: 0x17e6 [incorrect, should be 0x2c96 (may be caused by "IP checksum offload"?)]
Source: 130.x.x.x (130.x.x.x)
Destination: 80.x.x.x (80.x.x.x)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: apc-5455 (5455), Dst Port: domain (53)
Domain Name System (query)
[Malformed Packet: DNS]
SURICATA run command and config
[root at pinky suricata]# /usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=eth2
[root at pinky suricata]# /usr/bin/suricata --dump-config
12/6/2013 -- 13:37:11 - <Info> - This is Suricata version 1.4.2 RELEASE
12/6/2013 -- 13:37:11 - <Info> - CPUs/cores online: 12
max-pending-packets = 1024
default-log-dir = /spare/suricata/
unix-command = (null)
unix-command.enabled = no
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = unified2-alert
outputs.1.unified2-alert = (null)
outputs.1.unified2-alert.enabled = yes
outputs.1.unified2-alert.filename = unified2.alert
outputs.1.unified2-alert.limit = 1gb
outputs.2 = http-log
outputs.2.http-log = (null)
outputs.2.http-log.enabled = no
outputs.2.http-log.filename = http.log
outputs.2.http-log.append = yes
outputs.3 = tls-log
outputs.3.tls-log = (null)
outputs.3.tls-log.enabled = no
outputs.3.tls-log.filename = tls.log
outputs.3.tls-log.certs-log-dir = certs
outputs.4 = pcap-info
outputs.4.pcap-info = (null)
outputs.4.pcap-info.enabled = no
outputs.5 = pcap-log
outputs.5.pcap-log = (null)
outputs.5.pcap-log.enabled = yes
outputs.5.pcap-log.filename = log.pcap
outputs.5.pcap-log.limit = 1000mb
outputs.5.pcap-log.max-files = 2000
outputs.5.pcap-log.mode = normal
outputs.5.pcap-log.use-stream-depth = no
outputs.6 = alert-debug
outputs.6.alert-debug = (null)
outputs.6.alert-debug.enabled = no
outputs.6.alert-debug.filename = alert-debug.log
outputs.6.alert-debug.append = yes
outputs.7 = alert-prelude
outputs.7.alert-prelude = (null)
outputs.7.alert-prelude.enabled = no
outputs.7.alert-prelude.profile = suricata
outputs.7.alert-prelude.log-packet-content = no
outputs.7.alert-prelude.log-packet-header = yes
outputs.8 = stats
outputs.8.stats = (null)
outputs.8.stats.enabled = yes
outputs.8.stats.filename = stats.log
outputs.8.stats.interval = 8
outputs.9 = syslog
outputs.9.syslog = (null)
outputs.9.syslog.enabled = no
outputs.9.syslog.facility = local5
outputs.10 = drop
outputs.10.drop = (null)
outputs.10.drop.enabled = no
outputs.10.drop.filename = drop.log
outputs.10.drop.append = yes
outputs.11 = file-store
outputs.11.file-store = (null)
outputs.11.file-store.enabled = no
outputs.11.file-store.log-dir = files
outputs.11.file-store.force-magic = no
outputs.11.file-store.force-md5 = no
outputs.12 = file-log
outputs.12.file-log = (null)
outputs.12.file-log.enabled = no
outputs.12.file-log.filename = files-json.log
outputs.12.file-log.append = yes
outputs.12.file-log.force-magic = no
outputs.12.file-log.force-md5 = no
nfq =
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth0
af-packet.0.threads = 1
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.0.use-mmap = yes
af-packet.1 = interface
af-packet.1.interface = eth1
af-packet.1.threads = 4
af-packet.1.cluster-id = 99
af-packet.1.cluster-type = cluster_flow
af-packet.1.defrag = yes
af-packet.1.use-mmap = yes
af-packet.1.ring-size = 30000
af-packet.2 = interface
af-packet.2.interface = eth2
af-packet.2.threads = 4
af-packet.2.cluster-id = 98
af-packet.2.cluster-type = cluster_flow
af-packet.2.defrag = yes
af-packet.2.use-mmap = yes
af-packet.2.ring-size = 30000
af-packet.3 = interface
af-packet.3.interface = default
detect-engine = (null)
detect-engine.0 = profile
detect-engine.0.profile = medium
detect-engine.1 = custom-values
detect-engine.1.custom-values = (null)
detect-engine.1.custom-values.toclient-src-groups = 2
detect-engine.1.custom-values.toclient-dst-groups = 2
detect-engine.1.custom-values.toclient-sp-groups = 2
detect-engine.1.custom-values.toclient-dp-groups = 3
detect-engine.1.custom-values.toserver-src-groups = 2
detect-engine.1.custom-values.toserver-dst-groups = 4
detect-engine.1.custom-values.toserver-sp-groups = 2
detect-engine.1.custom-values.toserver-dp-groups = 25
detect-engine.2 = sgh-mpm-context
detect-engine.2.sgh-mpm-context = auto
detect-engine.3 = inspection-recursion-limit
detect-engine.3.inspection-recursion-limit = 3000
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = decode-cpu-set
threading.cpu-affinity.2.decode-cpu-set = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu.0 = 0
threading.cpu-affinity.2.decode-cpu-set.cpu.1 = 1
threading.cpu-affinity.2.decode-cpu-set.mode = balanced
threading.cpu-affinity.3 = stream-cpu-set
threading.cpu-affinity.3.stream-cpu-set = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu.0 = 0-1
threading.cpu-affinity.4 = detect-cpu-set
threading.cpu-affinity.4.detect-cpu-set = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu.0 = all
threading.cpu-affinity.4.detect-cpu-set.mode = exclusive
threading.cpu-affinity.4.detect-cpu-set.prio = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low.0 = 0
threading.cpu-affinity.4.detect-cpu-set.prio.medium = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.4.detect-cpu-set.prio.high = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.high.0 = 3
threading.cpu-affinity.4.detect-cpu-set.prio.default = medium
threading.cpu-affinity.5 = verdict-cpu-set
threading.cpu-affinity.5.verdict-cpu-set = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu.0 = 0
threading.cpu-affinity.5.verdict-cpu-set.prio = (null)
threading.cpu-affinity.5.verdict-cpu-set.prio.default = high
threading.cpu-affinity.6 = reject-cpu-set
threading.cpu-affinity.6.reject-cpu-set = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu.0 = 0
threading.cpu-affinity.6.reject-cpu-set.prio = (null)
threading.cpu-affinity.6.reject-cpu-set.prio.default = low
threading.cpu-affinity.7 = output-cpu-set
threading.cpu-affinity.7.output-cpu-set = (null)
threading.cpu-affinity.7.output-cpu-set.cpu = (null)
threading.cpu-affinity.7.output-cpu-set.cpu.0 = all
threading.cpu-affinity.7.output-cpu-set.prio = (null)
threading.cpu-affinity.7.output-cpu-set.prio.default = medium
threading.detect-thread-ratio = 1.5
cuda = (null)
cuda.0 = mpm
cuda.0.mpm = (null)
cuda.0.mpm.packet-buffer-limit = 2400
cuda.0.mpm.packet-size-limit = 1500
cuda.0.mpm.packet-buffers = 10
cuda.0.mpm.batching-timeout = 1
cuda.0.mpm.page-locked = enabled
cuda.0.mpm.device-id = 0
cuda.0.mpm.cuda-streams = 2
mpm-algo = ac
pattern-matcher = (null)
pattern-matcher.0 = b2gc
pattern-matcher.0.b2gc = (null)
pattern-matcher.0.b2gc.search-algo = B2gSearchBNDMq
pattern-matcher.0.b2gc.hash-size = low
pattern-matcher.0.b2gc.bf-size = medium
pattern-matcher.1 = b2gm
pattern-matcher.1.b2gm = (null)
pattern-matcher.1.b2gm.search-algo = B2gSearchBNDMq
pattern-matcher.1.b2gm.hash-size = low
pattern-matcher.1.b2gm.bf-size = medium
pattern-matcher.2 = b2g
pattern-matcher.2.b2g = (null)
pattern-matcher.2.b2g.search-algo = B2gSearchBNDMq
pattern-matcher.2.b2g.hash-size = low
pattern-matcher.2.b2g.bf-size = medium
pattern-matcher.3 = b3g
pattern-matcher.3.b3g = (null)
pattern-matcher.3.b3g.search-algo = B3gSearchBNDMq
pattern-matcher.3.b3g.hash-size = low
pattern-matcher.3.b3g.bf-size = medium
pattern-matcher.4 = wumanber
pattern-matcher.4.wumanber = (null)
pattern-matcher.4.wumanber.hash-size = low
pattern-matcher.4.wumanber.bf-size = medium
defrag = (null)
defrag.memcap = 512mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 10gb
flow.hash-size = 65536
flow.prealloc = 100000
flow.emergency-recovery = 30
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 5
flow-timeouts.default.established = 10
flow-timeouts.default.closed = 0
flow-timeouts.default.emergency-new = 1
flow-timeouts.default.emergency-established = 2
flow-timeouts.default.emergency-closed = 0
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 5
flow-timeouts.tcp.established = 300
flow-timeouts.tcp.closed = 10
flow-timeouts.tcp.emergency-new = 1
flow-timeouts.tcp.emergency-established = 5
flow-timeouts.tcp.emergency-closed = 20
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 5
flow-timeouts.udp.established = 5
flow-timeouts.udp.emergency-new = 5
flow-timeouts.udp.emergency-established = 5
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 5
flow-timeouts.icmp.established = 5
flow-timeouts.icmp.emergency-new = 5
flow-timeouts.icmp.emergency-established = 5
stream = (null)
stream.memcap = 10gb
stream.checksum-validation = yes
stream.inline = no
stream.midstream = false
stream.max-sessions = 20000000
stream.prealloc-sessions = 1000000
stream.reassembly = (null)
stream.reassembly.memcap = 10gb
stream.reassembly.depth = 16mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 16777216
logging = (null)
logging.default-log-level = info
logging.default-output-filter =
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = yes
logging.outputs.1.file.filename = /var/log/suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> --
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = 1
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = default
pcap = (null)
pcap.0 = interface
pcap.0.interface = eth0
pcap.1 = interface
pcap.1.interface = default
pcap.1.buffer-size = 111111111
ipfw =
default-rule-path = /etc/suricata/rules
rule-files = (null)
rule-files.0 = decoder-events.rules
classification-file = /etc/suricata/classification.config
reference-config-file = /etc/suricata/reference.config
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [130.209.0.0/16,194.80.44.0/23,194.36.1.0/24]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = [80,2301,3128,8000,8080,8180,8888]
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
action-order = (null)
action-order.0 = pass
action-order.1 = drop
action-order.2 = reject
action-order.3 = alert
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.linux.0 = 10.0.0.0/8
host-os-policy.linux.1 = 192.168.1.100
host-os-policy.linux.2 = 8762:2352:6241:7245:E000:0000:0000:0000
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.solaris.0 = ::1
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
asn1-max-frames = 256
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
libhtp = (null)
libhtp.default-config = (null)
libhtp.default-config.personality = IDS
libhtp.default-config.request-body-limit = 3072
libhtp.default-config.response-body-limit = 3072
libhtp.default-config.request-body-minimal-inspect-size = 32kb
libhtp.default-config.request-body-inspect-window = 4kb
libhtp.default-config.response-body-minimal-inspect-size = 32kb
libhtp.default-config.response-body-inspect-window = 4kb
libhtp.default-config.double-decode-path = no
libhtp.default-config.double-decode-query = no
libhtp.server-config = (null)
libhtp.server-config.0 = apache
libhtp.server-config.0.apache = (null)
libhtp.server-config.0.apache.address = (null)
libhtp.server-config.0.apache.address.0 = 192.168.1.0/24
libhtp.server-config.0.apache.address.1 = 127.0.0.0/8
libhtp.server-config.0.apache.address.2 = ::1
libhtp.server-config.0.apache.personality = Apache_2_2
libhtp.server-config.0.apache.request-body-limit = 4096
libhtp.server-config.0.apache.response-body-limit = 4096
libhtp.server-config.0.apache.double-decode-path = no
libhtp.server-config.0.apache.double-decode-query = no
libhtp.server-config.1 = iis7
libhtp.server-config.1.iis7 = (null)
libhtp.server-config.1.iis7.address = (null)
libhtp.server-config.1.iis7.address.0 = 192.168.0.0/24
libhtp.server-config.1.iis7.address.1 = 192.168.10.0/24
libhtp.server-config.1.iis7.personality = IIS_7_0
libhtp.server-config.1.iis7.request-body-limit = 4096
libhtp.server-config.1.iis7.response-body-limit = 4096
libhtp.server-config.1.iis7.double-decode-path = no
libhtp.server-config.1.iis7.double-decode-query = no
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.sort = avgticks
profiling.rules.limit = 100
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = packet_stats.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = lock_stats.log
profiling.locks.append = yes
coredump = (null)
coredump.max-dump = unlimited
napatech = (null)
napatech.hba = -1
napatech.use-all-streams = yes
napatech.streams = (null)
napatech.streams.0 = 1
napatech.streams.1 = 2
napatech.streams.2 = 3
--
Steven McIntosh
IT Security, IT Services
University of Glasgow, charity number SC004401
http://www.gla.ac.uk/cert
More information about the Oisf-users
mailing list