[Oisf-users] Really large log files
Duarte Silva
duarte.silva at serializing.me
Wed Apr 22 08:46:45 UTC 2015
On Tuesday 21 April 2015 15:56:40 James Moe wrote:
> suricata v2.0.7
> linux v3.16.7-7-desktop x86_64
>
> I ran suricata for 17 hours. It ended with the log files shown below.
> Some questions:
> 1. 1.1GB? In less than a day?
> 2. What app is used to view the unified2.alert.xxx files?
> 3. In <fast.log> 99% of the entries are one of three shown below. How
> do I indicate to suricata that those are "known good errors"?
>
> 122M Apr 3 10:09 fast.log
> 232K Apr 3 10:09 http.log
> 34M Apr 3 10:09 stats.log
> 33M Apr 3 04:09 unified2.alert.1428017896
> 33M Apr 3 04:09 unified2.alert.1428059369
> -- 24 more like these --
> 33M Apr 3 04:13 unified2.alert.1428059583
> 33M Apr 3 09:17 unified2.alert.1428059592
> 5.0M Apr 3 10:09 unified2.alert.1428077856
>
> 04/03/2015-10:08:27.470956 [**] [1:2210045:1] SURICATA STREAM Packet
> with invalid ack [**] [Classification: (null)] [Priority: 3] {TCP}
> 192.168.69.115:969 -> 192.168.69.245:2049
>
> 04/03/2015-10:08:27.471467 [**] [1:2210044:1] SURICATA STREAM Packet
> with invalid timestamp [**] [Classification: (null)] [Priority: 3]
> {TCP} 192.168.69.245:2049 -> 192.168.69.115:969
>
> 04/03/2015-10:08:30.343623 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF
> FF FF FF FF AC 86 74 02 1C 2F 81 00 03 E6 08 06 00 01 08 00 06 04 00
> 02 43 05 43 05 31 DC ]
>
>
>
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
Try to disable the "*-events.rules" files in your suricata yaml file :)
More information about the Oisf-users
mailing list