[Oisf-users] Really large log files

Duarte Silva duarte.silva at serializing.me
Wed Apr 22 08:46:45 UTC 2015


On Tuesday 21 April 2015 15:56:40 James Moe wrote:
> suricata v2.0.7
> linux v3.16.7-7-desktop x86_64
> 
>   I ran suricata for 17 hours. It ended with the log files shown below.
>   Some questions:
> 1. 1.1GB? In less than a day?
> 2. What app is used to view the unified2.alert.xxx files?
> 3. In <fast.log> 99% of the entries are one of three shown below. How
> do I indicate to suricata that those are "known good errors"?
> 
>  122M Apr  3 10:09 fast.log
>  232K Apr  3 10:09 http.log
>   34M Apr  3 10:09 stats.log
>   33M Apr  3 04:09 unified2.alert.1428017896
>   33M Apr  3 04:09 unified2.alert.1428059369
> -- 24 more like these --
>   33M Apr  3 04:13 unified2.alert.1428059583
>   33M Apr  3 09:17 unified2.alert.1428059592
>  5.0M Apr  3 10:09 unified2.alert.1428077856
> 
> 04/03/2015-10:08:27.470956  [**] [1:2210045:1] SURICATA STREAM Packet
> with invalid ack [**] [Classification: (null)] [Priority: 3] {TCP}
> 192.168.69.115:969 -> 192.168.69.245:2049
> 
> 04/03/2015-10:08:27.471467  [**] [1:2210044:1] SURICATA STREAM Packet
> with invalid timestamp [**] [Classification: (null)] [Priority: 3]
> {TCP} 192.168.69.245:2049 -> 192.168.69.115:969
> 
> 04/03/2015-10:08:30.343623  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF
> FF FF FF FF AC 86 74 02 1C 2F 81 00 03 E6 08 06 00 01 08 00 06 04 00
> 02 43 05 43 05 31 DC ]
> 
> 
> 
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

Try to disable the "*-events.rules" files in your suricata yaml file :)




More information about the Oisf-users mailing list