[Oisf-users] Really large log files
James Moe
jimoe at sohnen-moe.com
Tue Apr 21 22:56:40 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
suricata v2.0.7
linux v3.16.7-7-desktop x86_64
I ran suricata for 17 hours. It ended with the log files shown below.
Some questions:
1. 1.1GB? In less than a day?
2. What app is used to view the unified2.alert.xxx files?
3. In <fast.log> 99% of the entries are one of three shown below. How
do I indicate to suricata that those are "known good errors"?
122M Apr 3 10:09 fast.log
232K Apr 3 10:09 http.log
34M Apr 3 10:09 stats.log
33M Apr 3 04:09 unified2.alert.1428017896
33M Apr 3 04:09 unified2.alert.1428059369
- -- 24 more like these --
33M Apr 3 04:13 unified2.alert.1428059583
33M Apr 3 09:17 unified2.alert.1428059592
5.0M Apr 3 10:09 unified2.alert.1428077856
04/03/2015-10:08:27.470956 [**] [1:2210045:1] SURICATA STREAM Packet
with invalid ack [**] [Classification: (null)] [Priority: 3] {TCP}
192.168.69.115:969 -> 192.168.69.245:2049
04/03/2015-10:08:27.471467 [**] [1:2210044:1] SURICATA STREAM Packet
with invalid timestamp [**] [Classification: (null)] [Priority: 3]
{TCP} 192.168.69.245:2049 -> 192.168.69.115:969
04/03/2015-10:08:30.343623 [**] [1:2200067:1] SURICATA VLAN unknown
type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF
FF FF FF FF AC 86 74 02 1C 2F 81 00 03 E6 08 06 00 01 08 00 06 04 00
02 43 05 43 05 31 DC ]
- --
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlU21agACgkQzTcr8Prq0ZOdAwCfX/mGrEXBMwUYctgI0GfqMjjJ
/8kAoKpuZrmS5SOmpl0bjxKfqDhTTFKD
=xE+S
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list