[Oisf-users] Suricata process goes down from time to time

C. L. Martinez carlopmart at gmail.com
Wed Jun 12 07:29:23 UTC 2013 

>> >>
>> maximum: 16777216
>> 12/6/2013 -- 05:48:29 - <Info> - cleaning up signature grouping
>> structure... complete
>>
>> suricata process doesn't stops ... It seems the problem only appears
>> when I run suricata in daemonized mode ...
>
>
> 1. I see a "live rule swap" - could you try running it without the live
> swaps?
> 2. what does suricata.log say when you run it in daemon mode and it stops?
>
> thanks
>>

1.- Ok, I will disable rules update
2.- I think it is normal stop:


12/6/2013 -- 06:56:55 - <Info> - Delayed detect disabled
12/6/2013 -- 06:57:05 - <Info> - 22 rule files processed. 10964 rules
successfully loaded, 0 rules failed
12/6/2013 -- 06:57:41 - <Info> - 10971 signatures processed. 163 are
IP-only rules, 2768 are inspecting packet payload, 9753 inspect
application layer, 0 are decoder event only
12/6/2013 -- 06:57:41 - <Info> - building signature grouping
structure, stage 1: adding signatures to signature source addresses...
complete
12/6/2013 -- 06:57:42 - <Info> - building signature grouping
structure, stage 2: building source address list... complete
12/6/2013 -- 06:57:45 - <Info> - building signature grouping
structure, stage 3: building destination address lists... complete
12/6/2013 -- 06:57:48 - <Info> - Threshold config parsed: 1 rule(s) found
12/6/2013 -- 06:57:48 - <Info> - Max dump is 0
12/6/2013 -- 06:57:48 - <Info> - Core dump setting attempted is 0
12/6/2013 -- 06:57:48 - <Info> - Core dump size set to 0
12/6/2013 -- 06:57:48 - <Info> - fast output device (regular)
initialized: fast.log
12/6/2013 -- 06:57:48 - <Info> - Unified2-alert initialized: filename
unified2.alert, limit 64 MB
12/6/2013 -- 06:57:48 - <Info> - tls-log output device (regular)
initialized: tls.log
12/6/2013 -- 06:57:48 - <Info> - Using 1 live device(s).
12/6/2013 -- 06:57:48 - <Info> - BPF filter set from command line or
via old 'bpf-filter' option.
12/6/2013 -- 06:57:48 - <Info> - using interface em5
12/6/2013 -- 06:57:48 - <Info> - Running in 'auto' checksum mode.
Detection of interface state will require 1000 packets.
12/6/2013 -- 06:57:48 - <Info> - Found an MTU of 1514 for 'em5'
12/6/2013 -- 06:57:48 - <Info> - Set snaplen to 1514 for 'em5'
12/6/2013 -- 06:57:48 - <Info> - RunModeIdsPcapAutoFp initialised
12/6/2013 -- 06:57:48 - <Info> - stream "max-sessions": 262144
12/6/2013 -- 06:57:48 - <Info> - stream "prealloc-sessions": 32768
12/6/2013 -- 06:57:48 - <Info> - stream "memcap": 33554432
12/6/2013 -- 06:57:48 - <Info> - stream "midstream" session pickups: disabled
12/6/2013 -- 06:57:48 - <Info> - stream "async-oneside": disabled
12/6/2013 -- 06:57:48 - <Info> - stream "checksum-validation": enabled
12/6/2013 -- 06:57:48 - <Info> - stream."inline": disabled
12/6/2013 -- 06:57:48 - <Info> - stream.reassembly "memcap": 67108864
12/6/2013 -- 06:57:48 - <Info> - stream.reassembly "depth": 1048576
12/6/2013 -- 06:57:48 - <Info> - stream.reassembly "toserver-chunk-size": 2560
12/6/2013 -- 06:57:48 - <Info> - stream.reassembly "toclient-chunk-size": 2560
12/6/2013 -- 06:57:48 - <Info> - all 2 packet processing threads, 3
management threads initialized, engine started.
12/6/2013 -- 06:57:49 - <Info> - No packets with invalid checksum,
assuming checksum offloading is NOT used
12/6/2013 -- 07:28:56 - <Info> - Signal Received.  Stopping engine.
12/6/2013 -- 07:28:56 - <Info> - 0 new flows, 0 established flows were
timed out, 0 flows in closed state
12/6/2013 -- 07:28:56 - <Info> - time elapsed 1867.751s
12/6/2013 -- 07:28:56 - <Info> - (RxPcapem51) Packets 2090077, bytes 1593343374
12/6/2013 -- 07:28:56 - <Info> - (RxPcapem51) Pcap Total:20688097
Recv:20688097 Drop:0 (0.0%).
12/6/2013 -- 07:28:56 - <Info> - AutoFP - Total flow handler queues - 1
12/6/2013 -- 07:28:56 - <Info> - AutoFP - Queue 0  - pkts: 2098668
 flows: 11473
12/6/2013 -- 07:28:56 - <Info> - Stream TCP processed 2098610 TCP packets
12/6/2013 -- 07:28:56 - <Info> - Fast log output wrote 7 alerts
12/6/2013 -- 07:28:56 - <Info> - Alert unified2 module wrote 7 alerts
12/6/2013 -- 07:28:56 - <Info> - TLS logger logged 2098 requests
12/6/2013 -- 07:28:56 - <Info> - host memory usage: 194304 bytes,
maximum: 16777216
12/6/2013 -- 07:28:56 - <Info> - cleaning up signature grouping
structure... complete

More information about the Oisf-users mailing list