[Oisf-users] Really large log files

Peter Manev petermanev at gmail.com
Wed Apr 22 16:03:23 UTC 2015 

On Wed, Apr 22, 2015 at 10:46 AM, Duarte Silva
<duarte.silva at serializing.me> wrote:
> On Tuesday 21 April 2015 15:56:40 James Moe wrote:
>> suricata v2.0.7
>> linux v3.16.7-7-desktop x86_64
>>
>>   I ran suricata for 17 hours. It ended with the log files shown below.
>>   Some questions:
>> 1. 1.1GB? In less than a day?
>> 2. What app is used to view the unified2.alert.xxx files?
>> 3. In <fast.log> 99% of the entries are one of three shown below. How
>> do I indicate to suricata that those are "known good errors"?
>>
>>  122M Apr  3 10:09 fast.log
>>  232K Apr  3 10:09 http.log
>>   34M Apr  3 10:09 stats.log
>>   33M Apr  3 04:09 unified2.alert.1428017896
>>   33M Apr  3 04:09 unified2.alert.1428059369
>> -- 24 more like these --
>>   33M Apr  3 04:13 unified2.alert.1428059583
>>   33M Apr  3 09:17 unified2.alert.1428059592
>>  5.0M Apr  3 10:09 unified2.alert.1428077856
>>
>> 04/03/2015-10:08:27.470956  [**] [1:2210045:1] SURICATA STREAM Packet
>> with invalid ack [**] [Classification: (null)] [Priority: 3] {TCP}
>> 192.168.69.115:969 -> 192.168.69.245:2049
>>
>> 04/03/2015-10:08:27.471467  [**] [1:2210044:1] SURICATA STREAM Packet
>> with invalid timestamp [**] [Classification: (null)] [Priority: 3]
>> {TCP} 192.168.69.245:2049 -> 192.168.69.115:969
>>
>> 04/03/2015-10:08:30.343623  [**] [1:2200067:1] SURICATA VLAN unknown
>> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF
>> FF FF FF FF AC 86 74 02 1C 2F 81 00 03 E6 08 06 00 01 08 00 06 04 00
>> 02 43 05 43 05 31 DC ]
>>
>>
>>
>> --
>> James Moe
>> moe dot james at sohnen-moe dot com
>> 520.743.3936
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
> Try to disable the "*-events.rules" files in your suricata yaml file :)

stream-events are most likely the noisiest .. I suspect (could be
different in your case though)

>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list