[Oisf-users] Sporadic very high latency with 2.0dev version.
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Fri Mar 7 09:53:54 UTC 2014
Hi all,
Here's a problem i don't understand.
>From time to time i get very high latency, so high that almost no traffic is possible.
Though not high traffic is active, but what i see is the following.
Strong change the following values:
CPU Interrupts per seconds, from normally 3 Kips to 50 Kips
CPU Utilization , from normally User time 3% to 35% and System time 0.5% to 10% and Softirq time 0.3% to 8%
But no high CPU Load 1 = 0.2 // 5 = 0.1 // 15 = 0.1
When i stop suri, are all problems away !
Any idea an help here ?
thx
Stefan
Here output logfile bridge0:
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -q 0 -q 1 -q 2 -q 3 -l /nsm/sensor_data/Serrig-intern --runmode workers
[28826] 7/3/2014 -- 06:00:26 - (flow-manager.c:561) <Info> (FlowManagerThread) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[5400] 7/3/2014 -- 06:00:26 - (suricata.c:983) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev 00d2f2d)
[5400] 7/3/2014 -- 06:00:26 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 4
[5400] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2218) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
[5400] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2233) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
[5400] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2218) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'request-body-minimal-inspect-size' set to 34116 and 'request-body-inspect-window' set to 3973 after randomization.
[5400] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2233) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'response-body-minimal-inspect-size' set to 32229 and 'response-body-inspect-window' set to 4205 after randomization.
[5400] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2218) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'request-body-minimal-inspect-size' set to 32040 and 'request-body-inspect-window' set to 4118 after randomization.
[5400] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2233) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'response-body-minimal-inspect-size' set to 32694 and 'response-body-inspect-window' set to 4148 after randomization.
[5400] 7/3/2014 -- 06:00:26 - (app-layer-dns-udp.c:324) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[5400] 7/3/2014 -- 06:00:26 - (app-layer-dns-udp.c:336) <Info> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
[5400] 7/3/2014 -- 06:00:26 - (app-layer-dns-udp.c:348) <Info> (DNSUDPConfigure) -- DNS global memcap: 16777216
[5400] 7/3/2014 -- 06:00:26 - (source-nfq.c:240) <Info> (NFQInitConfig) -- Enabling fail-open on queue
[5400] 7/3/2014 -- 06:00:26 - (source-nfq.c:277) <Info> (NFQInitConfig) -- NFQ running in standard ACCEPT/DROP mode
[5400] 7/3/2014 -- 06:00:26 - (defrag-hash.c:212) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[5400] 7/3/2014 -- 06:00:26 - (defrag-hash.c:237) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 152
[5400] 7/3/2014 -- 06:00:26 - (defrag-hash.c:244) <Info> (DefragInitConfig) -- defrag memory usage: 13631336 bytes, maximum: 33554432
[5400] 7/3/2014 -- 06:00:26 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[5400] 7/3/2014 -- 06:00:26 - (tmqh-packetpool.c:142) <Info> (PacketPoolInit) -- preallocated 1024 packets. Total memory 3565568
[5400] 7/3/2014 -- 06:00:26 - (host.c:205) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[5400] 7/3/2014 -- 06:00:26 - (host.c:228) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 112
[5400] 7/3/2014 -- 06:00:26 - (host.c:230) <Info> (HostInitConfig) -- host memory usage: 390144 bytes, maximum: 16777216
[5400] 7/3/2014 -- 06:00:26 - (flow.c:391) <Info> (FlowInitConfig) -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
[5400] 7/3/2014 -- 06:00:26 - (flow.c:415) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 280
[5400] 7/3/2014 -- 06:00:26 - (flow.c:417) <Info> (FlowInitConfig) -- flow memory usage: 7074304 bytes, maximum: 33554432
[5400] 7/3/2014 -- 06:00:26 - (reputation.c:459) <Info> (SRepInit) -- IP reputation disabled
[5400] 7/3/2014 -- 06:00:26 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/share/file/magic
[5400] 7/3/2014 -- 06:00:26 - (suricata.c:1817) <Info> (SetupDelayedDetect) -- Delayed detect disabled
[28660] 7/3/2014 -- 06:00:27 - (suricata.c:1005) <Info> (SCPrintElapsedTime) -- time elapsed 86384.945s
[28822] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q0) Treated: Pkts 2144759, Bytes 1221986951, Errors 0
[28822] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q0) Verdict: Accepted 2143556, Dropped 1203, Replaced 0
[28822] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 6211144 TCP packets
[28822] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 2049 alerts
[28822] 7/3/2014 -- 06:00:27 - (alert-unified2-alert.c:1304) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 2049 alerts
[28822] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 16018 requests
[28822] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 2866 transactions
[28822] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q0) Files logged: 14560
[28823] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q1) Treated: Pkts 11660640, Bytes 3153472683, Errors 0
[28823] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q1) Verdict: Accepted 11658503, Dropped 2137, Replaced 0
[28823] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 10506571 TCP packets
[28823] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 2049 alerts
[28823] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 18124 requests
[28823] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 24270 transactions
[28823] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q1) Files logged: 16165
[28824] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q2) Treated: Pkts 6532273, Bytes 1678083955, Errors 0
[28824] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q2) Verdict: Accepted 6530983, Dropped 1290, Replaced 2
[28824] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 4987976 TCP packets
[28824] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 2049 alerts
[28824] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 20543 requests
[28824] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 186 transactions
[28824] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q2) Files logged: 17380
[28825] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q3) Treated: Pkts 28523578, Bytes 23882900308, Errors 0
[28825] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q3) Verdict: Accepted 28521934, Dropped 1644, Replaced 0
[28825] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 24933254 TCP packets
[28825] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 2049 alerts
[28825] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 12778 requests
[28825] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 3727 transactions
[28825] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q3) Files logged: 11368
[28660] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 4 had a peak use of 478 segments, more than the prealloc setting of 256
[28660] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 16 had a peak use of 6280 segments, more than the prealloc setting of 512
[28660] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 112 had a peak use of 9525 segments, more than the prealloc setting of 512
[28660] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 248 had a peak use of 1931 segments, more than the prealloc setting of 512
[28660] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 512 had a peak use of 1374 segments, more than the prealloc setting of 512
[28660] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 1448 had a peak use of 1444 segments, more than the prealloc setting of 1024
[28660] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 65535 had a peak use of 362 segments, more than the prealloc setting of 128
[28660] 7/3/2014 -- 06:00:27 - (host.c:245) <Info> (HostPrintStats) -- host memory usage: 390144 bytes, maximum: 16777216
[5400] 7/3/2014 -- 06:00:27 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-intern/rules/emerging-icmp.rules
[28660] 7/3/2014 -- 06:00:27 - (detect.c:3868) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[5400] 7/3/2014 -- 06:00:31 - (detect.c:453) <Info> (SigLoadSignatures) -- 47 rule files processed. 14475 rules successfully loaded, 0 rules failed
[5400] 7/3/2014 -- 06:00:32 - (detect.c:2569) <Info> (SigAddressPrepareStage1) -- 14483 signatures processed. 1241 are IP-only rules, 3964 are inspecting packet payload, 10861 inspect application layer, 0 are decoder event only
[5400] 7/3/2014 -- 06:00:32 - (detect.c:2572) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[5400] 7/3/2014 -- 06:00:32 - (detect.c:3195) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[5400] 7/3/2014 -- 06:00:42 - (detect.c:3837) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[5400] 7/3/2014 -- 06:00:43 - (util-threshold-config.c:1202) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 24 rule(s) found
[5400] 7/3/2014 -- 06:00:43 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[5400] 7/3/2014 -- 06:00:43 - (util-privs.c:101) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[5400] 7/3/2014 -- 06:00:43 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[5400] 7/3/2014 -- 06:00:43 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[5400] 7/3/2014 -- 06:00:43 - (runmodes.c:608) <Info> (RunModeInitializeOutputs) -- types 0x20efd30
[5400] 7/3/2014 -- 06:00:43 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type alert
[5400] 7/3/2014 -- 06:00:43 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type http
[5400] 7/3/2014 -- 06:00:43 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type dns
[5400] 7/3/2014 -- 06:00:43 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type tls
[5400] 7/3/2014 -- 06:00:43 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type files
[5400] 7/3/2014 -- 06:00:43 - (output-json-file.c:325) <Info> (OutputFileLogInitSub) -- forcing magic lookup for logged files
[5400] 7/3/2014 -- 06:00:43 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type drop
[5400] 7/3/2014 -- 06:00:43 - (alert-unified2-alert.c:1443) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename snort.unified2, limit 32 MB
[5400] 7/3/2014 -- 06:00:43 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized: http.log
[5400] 7/3/2014 -- 06:00:43 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- dns-log output device (regular) initialized: dns.log
[5400] 7/3/2014 -- 06:00:43 - (log-droplog.c:141) <Error> (LogDropLogInitCtx) -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(240)] - only one 'drop' logger can be enabled
[5400] 7/3/2014 -- 06:00:43 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- file-log output device (regular) initialized: files-json.log
[5400] 7/3/2014 -- 06:00:43 - (log-file.c:365) <Info> (LogFileLogInitCtx) -- forcing magic lookup for logged files
[5544] 7/3/2014 -- 06:00:43 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 0 to queue '0'
[5544] 7/3/2014 -- 06:00:43 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5544] 7/3/2014 -- 06:00:43 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5544] 7/3/2014 -- 06:00:43 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5544] 7/3/2014 -- 06:00:43 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5545] 7/3/2014 -- 06:00:43 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 1 to queue '1'
[5545] 7/3/2014 -- 06:00:43 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5545] 7/3/2014 -- 06:00:43 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5545] 7/3/2014 -- 06:00:43 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5545] 7/3/2014 -- 06:00:43 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5546] 7/3/2014 -- 06:00:43 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 2 to queue '2'
[5546] 7/3/2014 -- 06:00:43 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5546] 7/3/2014 -- 06:00:43 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5546] 7/3/2014 -- 06:00:43 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5546] 7/3/2014 -- 06:00:43 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5547] 7/3/2014 -- 06:00:43 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 3 to queue '3'
[5547] 7/3/2014 -- 06:00:43 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5547] 7/3/2014 -- 06:00:43 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5547] 7/3/2014 -- 06:00:43 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5547] 7/3/2014 -- 06:00:43 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:373) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:389) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:395) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:401) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:418) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:440) <Info> (StreamTcpInitConfig) -- stream."inline": enabled
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:453) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:471) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:489) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:572) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2462
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:574) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2578
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp.c:587) <Info> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128
[5400] 7/3/2014 -- 06:00:43 - (stream-tcp-reassemble.c:461) <Info> (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
[5400] 7/3/2014 -- 06:00:43 - (tm-threads.c:2196) <Notice> (TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 1 management threads initialized, engine started.
[5400] 7/3/2014 -- 09:09:37 - (suricata.c:2282) <Notice> (main) -- Signal Received. Stopping engine.
[5548] 7/3/2014 -- 09:09:37 - (flow-manager.c:561) <Info> (FlowManagerThread) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[5400] 7/3/2014 -- 09:09:37 - (suricata.c:1005) <Info> (SCPrintElapsedTime) -- time elapsed 11333.712s
[5544] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q0) Treated: Pkts 283545, Bytes 149980137, Errors 0
[5544] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q0) Verdict: Accepted 283163, Dropped 382, Replaced 0
[5544] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 816063 TCP packets
[5544] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1649 alerts
[5544] 7/3/2014 -- 09:09:37 - (alert-unified2-alert.c:1304) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 1649 alerts
[5544] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 1434 requests
[5544] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 517 transactions
[5544] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q0) Files logged: 1336
[5545] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q1) Treated: Pkts 2040584, Bytes 691576034, Errors 0
[5545] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q1) Verdict: Accepted 2040081, Dropped 503, Replaced 0
[5545] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 1992649 TCP packets
[5545] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1649 alerts
[5545] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 2009 requests
[5545] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 5166 transactions
[5545] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q1) Files logged: 1745
[5546] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q2) Treated: Pkts 893796, Bytes 258985393, Errors 0
[5546] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q2) Verdict: Accepted 893399, Dropped 397, Replaced 3
[5546] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 694078 TCP packets
[5546] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1649 alerts
[5546] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 2481 requests
[5546] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 466 transactions
[5546] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q2) Files logged: 2125
[5547] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q3) Treated: Pkts 3067183, Bytes 568197213, Errors 0
[5547] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q3) Verdict: Accepted 3066624, Dropped 559, Replaced 0
[5547] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 2383320 TCP packets
[5547] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1649 alerts
[5547] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 1926 requests
[5547] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 480 transactions
[5547] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q3) Files logged: 1693
[5400] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 4 had a peak use of 260 segments, more than the prealloc setting of 256
[5400] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 16 had a peak use of 4423 segments, more than the prealloc setting of 512
[5400] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 112 had a peak use of 6050 segments, more than the prealloc setting of 512
[5400] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 248 had a peak use of 1883 segments, more than the prealloc setting of 512
[5400] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 512 had a peak use of 1134 segments, more than the prealloc setting of 512
[5400] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 1448 had a peak use of 1118 segments, more than the prealloc setting of 1024
[5400] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 65535 had a peak use of 226 segments, more than the prealloc setting of 128
[5400] 7/3/2014 -- 09:09:37 - (host.c:245) <Info> (HostPrintStats) -- host memory usage: 390144 bytes, maximum: 16777216
[5400] 7/3/2014 -- 09:09:37 - (detect.c:3868) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
Here output logfile bridge1:
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-DMZ/suricata.yaml -q 4 -q 5 -q 6 -q 7 -l /nsm/sensor_data/Serrig-DMZ --runmode workers
[28821] 7/3/2014 -- 06:00:26 - (flow-manager.c:561) <Info> (FlowManagerThread) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[5374] 7/3/2014 -- 06:00:26 - (suricata.c:983) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev 00d2f2d)
[5374] 7/3/2014 -- 06:00:26 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 4
[5374] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2218) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
[5374] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2233) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
[5374] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2218) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'request-body-minimal-inspect-size' set to 34116 and 'request-body-inspect-window' set to 3973 after randomization.
[5374] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2233) <Info> (HTPConfigSetDefaultsPhase2) -- 'apache' server has 'response-body-minimal-inspect-size' set to 32229 and 'response-body-inspect-window' set to 4205 after randomization.
[5374] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2218) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'request-body-minimal-inspect-size' set to 32040 and 'request-body-inspect-window' set to 4118 after randomization.
[5374] 7/3/2014 -- 06:00:26 - (app-layer-htp.c:2233) <Info> (HTPConfigSetDefaultsPhase2) -- 'iis7' server has 'response-body-minimal-inspect-size' set to 32694 and 'response-body-inspect-window' set to 4148 after randomization.
[5374] 7/3/2014 -- 06:00:26 - (app-layer-dns-udp.c:324) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[5374] 7/3/2014 -- 06:00:26 - (app-layer-dns-udp.c:336) <Info> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
[5374] 7/3/2014 -- 06:00:26 - (app-layer-dns-udp.c:348) <Info> (DNSUDPConfigure) -- DNS global memcap: 16777216
[5374] 7/3/2014 -- 06:00:26 - (source-nfq.c:240) <Info> (NFQInitConfig) -- Enabling fail-open on queue
[5374] 7/3/2014 -- 06:00:26 - (source-nfq.c:277) <Info> (NFQInitConfig) -- NFQ running in standard ACCEPT/DROP mode
[5374] 7/3/2014 -- 06:00:26 - (defrag-hash.c:212) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[5374] 7/3/2014 -- 06:00:26 - (defrag-hash.c:237) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 152
[5374] 7/3/2014 -- 06:00:26 - (defrag-hash.c:244) <Info> (DefragInitConfig) -- defrag memory usage: 13631336 bytes, maximum: 33554432
[5374] 7/3/2014 -- 06:00:26 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[5374] 7/3/2014 -- 06:00:26 - (tmqh-packetpool.c:142) <Info> (PacketPoolInit) -- preallocated 1024 packets. Total memory 3565568
[5374] 7/3/2014 -- 06:00:26 - (host.c:205) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[5374] 7/3/2014 -- 06:00:26 - (host.c:228) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 112
[5374] 7/3/2014 -- 06:00:26 - (host.c:230) <Info> (HostInitConfig) -- host memory usage: 390144 bytes, maximum: 16777216
[5374] 7/3/2014 -- 06:00:26 - (flow.c:391) <Info> (FlowInitConfig) -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
[5374] 7/3/2014 -- 06:00:26 - (flow.c:415) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 280
[5374] 7/3/2014 -- 06:00:26 - (flow.c:417) <Info> (FlowInitConfig) -- flow memory usage: 7074304 bytes, maximum: 33554432
[5374] 7/3/2014 -- 06:00:26 - (reputation.c:459) <Info> (SRepInit) -- IP reputation disabled
[5374] 7/3/2014 -- 06:00:26 - (util-magic.c:62) <Info> (MagicInit) -- using magic-file /usr/share/file/magic
[5374] 7/3/2014 -- 06:00:26 - (suricata.c:1817) <Info> (SetupDelayedDetect) -- Delayed detect disabled
[28633] 7/3/2014 -- 06:00:27 - (suricata.c:1005) <Info> (SCPrintElapsedTime) -- time elapsed 86386.453s
[28817] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q4) Treated: Pkts 728438, Bytes 595884518, Errors 0
[28817] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q4) Verdict: Accepted 726992, Dropped 1446, Replaced 0
[28817] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 4846656 TCP packets
[28817] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1336 alerts
[28817] 7/3/2014 -- 06:00:27 - (alert-unified2-alert.c:1304) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 1336 alerts
[28817] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 1298 requests
[28817] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 21164 transactions
[28817] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q4) Files logged: 1047
[28818] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q5) Treated: Pkts 7812589, Bytes 1535478871, Errors 0
[28818] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q5) Verdict: Accepted 7811414, Dropped 1175, Replaced 0
[28818] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 7694969 TCP packets
[28818] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1336 alerts
[28818] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 1154 requests
[28818] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 44157 transactions
[28818] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q5) Files logged: 1068
[28819] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q6) Treated: Pkts 3104586, Bytes 372709319, Errors 0
[28819] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q6) Verdict: Accepted 3102704, Dropped 1882, Replaced 0
[28819] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 3044332 TCP packets
[28819] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1336 alerts
[28819] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 1855 requests
[28819] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 23265 transactions
[28819] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q6) Files logged: 1416
[28820] 7/3/2014 -- 06:00:27 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q7) Treated: Pkts 9238311, Bytes 1116097404, Errors 0
[28820] 7/3/2014 -- 06:00:27 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q7) Verdict: Accepted 9236321, Dropped 1990, Replaced 0
[28820] 7/3/2014 -- 06:00:27 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 9133774 TCP packets
[28820] 7/3/2014 -- 06:00:27 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 1336 alerts
[28820] 7/3/2014 -- 06:00:27 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 2562 requests
[28820] 7/3/2014 -- 06:00:27 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 28468 transactions
[28820] 7/3/2014 -- 06:00:27 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q7) Files logged: 3436
[28633] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 16 had a peak use of 5786 segments, more than the prealloc setting of 512
[28633] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 112 had a peak use of 6027 segments, more than the prealloc setting of 512
[28633] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 248 had a peak use of 666 segments, more than the prealloc setting of 512
[28633] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 768 had a peak use of 1067 segments, more than the prealloc setting of 1024
[28633] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 1448 had a peak use of 2521 segments, more than the prealloc setting of 1024
[28633] 7/3/2014 -- 06:00:27 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 65535 had a peak use of 519 segments, more than the prealloc setting of 128
[28633] 7/3/2014 -- 06:00:27 - (host.c:245) <Info> (HostPrintStats) -- host memory usage: 390144 bytes, maximum: 16777216
[28633] 7/3/2014 -- 06:00:27 - (detect.c:3868) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[5374] 7/3/2014 -- 06:00:27 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/emerging-icmp.rules
[5374] 7/3/2014 -- 06:00:31 - (detect.c:453) <Info> (SigLoadSignatures) -- 47 rule files processed. 14481 rules successfully loaded, 0 rules failed
[5374] 7/3/2014 -- 06:00:32 - (detect.c:2569) <Info> (SigAddressPrepareStage1) -- 14489 signatures processed. 1241 are IP-only rules, 3968 are inspecting packet payload, 10863 inspect application layer, 0 are decoder event only
[5374] 7/3/2014 -- 06:00:32 - (detect.c:2572) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[5374] 7/3/2014 -- 06:00:32 - (detect.c:3195) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[5374] 7/3/2014 -- 06:00:40 - (detect.c:3837) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[5374] 7/3/2014 -- 06:00:41 - (util-threshold-config.c:384) <Warning> (SetupSuppressRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2221021, gid 1: unknown rule
[5374] 7/3/2014 -- 06:00:41 - (util-threshold-config.c:1202) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 26 rule(s) found
[5374] 7/3/2014 -- 06:00:41 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[5374] 7/3/2014 -- 06:00:41 - (util-privs.c:101) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[5374] 7/3/2014 -- 06:00:41 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[5374] 7/3/2014 -- 06:00:41 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[5374] 7/3/2014 -- 06:00:41 - (runmodes.c:608) <Info> (RunModeInitializeOutputs) -- types 0x1cebd30
[5374] 7/3/2014 -- 06:00:41 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type alert
[5374] 7/3/2014 -- 06:00:41 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type http
[5374] 7/3/2014 -- 06:00:41 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type dns
[5374] 7/3/2014 -- 06:00:41 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type tls
[5374] 7/3/2014 -- 06:00:41 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type files
[5374] 7/3/2014 -- 06:00:41 - (output-json-file.c:325) <Info> (OutputFileLogInitSub) -- forcing magic lookup for logged files
[5374] 7/3/2014 -- 06:00:41 - (runmodes.c:612) <Info> (RunModeInitializeOutputs) -- type drop
[5374] 7/3/2014 -- 06:00:41 - (alert-unified2-alert.c:1443) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename snort.unified2, limit 32 MB
[5374] 7/3/2014 -- 06:00:41 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized: http.log
[5374] 7/3/2014 -- 06:00:41 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- dns-log output device (regular) initialized: dns.log
[5374] 7/3/2014 -- 06:00:41 - (log-droplog.c:141) <Error> (LogDropLogInitCtx) -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(240)] - only one 'drop' logger can be enabled
[5374] 7/3/2014 -- 06:00:41 - (util-logopenfile.c:209) <Info> (SCConfLogOpenGeneric) -- file-log output device (regular) initialized: files-json.log
[5374] 7/3/2014 -- 06:00:41 - (log-file.c:365) <Info> (LogFileLogInitCtx) -- forcing magic lookup for logged files
[5538] 7/3/2014 -- 06:00:41 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 0 to queue '4'
[5538] 7/3/2014 -- 06:00:41 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5538] 7/3/2014 -- 06:00:41 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5538] 7/3/2014 -- 06:00:41 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5538] 7/3/2014 -- 06:00:41 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5539] 7/3/2014 -- 06:00:41 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 1 to queue '5'
[5539] 7/3/2014 -- 06:00:41 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5539] 7/3/2014 -- 06:00:41 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5539] 7/3/2014 -- 06:00:41 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5539] 7/3/2014 -- 06:00:41 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5540] 7/3/2014 -- 06:00:41 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 2 to queue '6'
[5540] 7/3/2014 -- 06:00:41 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5540] 7/3/2014 -- 06:00:41 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5540] 7/3/2014 -- 06:00:41 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5540] 7/3/2014 -- 06:00:41 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5541] 7/3/2014 -- 06:00:41 - (source-nfq.c:580) <Info> (NFQInitThread) -- binding this thread 3 to queue '7'
[5541] 7/3/2014 -- 06:00:41 - (source-nfq.c:602) <Info> (NFQInitThread) -- setting queue length to 4096
[5541] 7/3/2014 -- 06:00:41 - (source-nfq.c:615) <Info> (NFQInitThread) -- setting nfnl bufsize to 6144000
[5541] 7/3/2014 -- 06:00:41 - (source-nfq.c:379) <Info> (NFQMutexInit) -- NFQ running in 'workers' runmode, will not use mutex.
[5541] 7/3/2014 -- 06:00:41 - (source-nfq.c:653) <Info> (NFQInitThread) -- fail-open mode should be set on queue
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:373) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:389) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:395) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:401) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:418) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:440) <Info> (StreamTcpInitConfig) -- stream."inline": enabled
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:453) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:471) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:489) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:572) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2662
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:574) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2496
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp.c:587) <Info> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:425) <Info> (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128
[5374] 7/3/2014 -- 06:00:41 - (stream-tcp-reassemble.c:461) <Info> (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
[5374] 7/3/2014 -- 06:00:41 - (tm-threads.c:2196) <Notice> (TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 1 management threads initialized, engine started.
[5374] 7/3/2014 -- 09:09:37 - (suricata.c:2282) <Notice> (main) -- Signal Received. Stopping engine.
[5542] 7/3/2014 -- 09:09:37 - (flow-manager.c:561) <Info> (FlowManagerThread) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[5374] 7/3/2014 -- 09:09:37 - (suricata.c:1005) <Info> (SCPrintElapsedTime) -- time elapsed 11335.628s
[5538] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q4) Treated: Pkts 183475, Bytes 95921861, Errors 0
[5538] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q4) Verdict: Accepted 183024, Dropped 451, Replaced 0
[5538] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 708626 TCP packets
[5538] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 101 alerts
[5538] 7/3/2014 -- 09:09:37 - (alert-unified2-alert.c:1304) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 101 alerts
[5538] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 248 requests
[5538] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 3372 transactions
[5538] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q4) Files logged: 227
[5539] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q5) Treated: Pkts 870985, Bytes 71718123, Errors 0
[5539] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q5) Verdict: Accepted 870842, Dropped 143, Replaced 0
[5539] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 851625 TCP packets
[5539] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 101 alerts
[5539] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 127 requests
[5539] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 8005 transactions
[5539] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q5) Files logged: 112
[5540] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q6) Treated: Pkts 403510, Bytes 55892257, Errors 0
[5540] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q6) Verdict: Accepted 403314, Dropped 196, Replaced 0
[5540] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 393857 TCP packets
[5540] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 101 alerts
[5540] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 836 requests
[5540] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 3937 transactions
[5540] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q6) Files logged: 559
[5541] 7/3/2014 -- 09:09:37 - (source-nfq.c:1004) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q7) Treated: Pkts 1907345, Bytes 102697256, Errors 0
[5541] 7/3/2014 -- 09:09:37 - (source-nfq.c:1006) <Notice> (ReceiveNFQThreadExitStats) -- (Worker-Q7) Verdict: Accepted 1907087, Dropped 258, Replaced 7
[5541] 7/3/2014 -- 09:09:37 - (stream-tcp.c:4621) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 1891734 TCP packets
[5541] 7/3/2014 -- 09:09:37 - (alert-fastlog.c:229) <Info> (AlertFastLogExitPrintStats) -- Fast log output wrote 101 alerts
[5541] 7/3/2014 -- 09:09:37 - (log-httplog.c:582) <Info> (LogHttpLogExitPrintStats) -- HTTP logger logged 348 requests
[5541] 7/3/2014 -- 09:09:37 - (log-dnslog.c:313) <Info> (LogDnsLogExitPrintStats) -- DNS logger logged 4722 transactions
[5541] 7/3/2014 -- 09:09:37 - (log-file.c:321) <Info> (LogFileLogExitPrintStats) -- (Worker-Q7) Files logged: 462
[5374] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 16 had a peak use of 4188 segments, more than the prealloc setting of 512
[5374] 7/3/2014 -- 09:09:37 - (stream-tcp-reassemble.c:502) <Info> (StreamTcpReassembleFree) -- TCP segment pool of size 112 had a peak use of 4543 segments, more than the prealloc setting of 512
[5374] 7/3/2014 -- 09:09:37 - (host.c:245) <Info> (HostPrintStats) -- host memory usage: 390144 bytes, maximum: 16777216
[5374] 7/3/2014 -- 09:09:37 - (detect.c:3868) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
More information about the Oisf-users
mailing list