[Oisf-users] suricata stops working
Pedro Neves
pmneves at gmail.com
Tue Jul 21 12:53:07 UTC 2015
Hi,
I am new to Suricata.
My server info:
VM Guest (using VirtualBox 5.0) with 1Gb Ram
Ubuntu server 14.04
Suricata (2.0.8)
It worked fine until yesterday.
Now it stoped working a few seconds after I run it.
By stop working I mean:
- stops logging to fast.log
- on the stats.log I can see that almost every variable freezes (is
the same over time)
decoder.pkts
decoder.bytes
...
This happens with pcap live mode and pf_ring (installed to check if it
would solve the problem)
LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata -c
/usr/local/etc/suricata/suricata.yaml -i eth0 -v --init-errors-fatal #
default mode
LD_LIBRARY_PATH=/usr/local/pfring/lib /usr/local/bin/suricata -c
/usr/local/etc/suricata/suricata.yaml --pfring-int=eth0
--pfring-cluster-id=99 --pfring-cluster-type=cluster_flow
--runmode=autofp -v --init-errors-fatal # pf_ring
When I kill the suricata process I get:
19/7/2015 -- 07:36:07 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] -
Engine unable to disable detect thread - "RxPcapeth01". Killing engine
I get "RxPFR1" or "RxPcapeth01" depending if I am running in pf_ring
mode or not.
When Suricata stops working, I can see traffic on the card using tcpdump
"tcpdump -nni eth0 icmp".
I would appreciate any help.
Thanks,
Pedro
-------------- next part --------------
-------------------------------------------------------------------
Date: 7/20/2015 -- 02:48:18 (uptime: 0d, 00h 00m 24s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPFR1 | 665
capture.kernel_drops | RxPFR1 | 0
dns.memuse | RxPFR1 | 1087
dns.memcap_state | RxPFR1 | 0
dns.memcap_global | RxPFR1 | 0
decoder.pkts | RxPFR1 | 665
decoder.bytes | RxPFR1 | 383253
decoder.invalid | RxPFR1 | 0
decoder.ipv4 | RxPFR1 | 645
decoder.ipv6 | RxPFR1 | 4
decoder.ethernet | RxPFR1 | 665
decoder.raw | RxPFR1 | 0
decoder.sll | RxPFR1 | 0
decoder.tcp | RxPFR1 | 598
decoder.udp | RxPFR1 | 23
decoder.sctp | RxPFR1 | 0
decoder.icmpv4 | RxPFR1 | 26
decoder.icmpv6 | RxPFR1 | 0
decoder.ppp | RxPFR1 | 0
decoder.pppoe | RxPFR1 | 0
decoder.gre | RxPFR1 | 0
decoder.vlan | RxPFR1 | 0
decoder.vlan_qinq | RxPFR1 | 0
decoder.teredo | RxPFR1 | 0
decoder.ipv4_in_ipv6 | RxPFR1 | 0
decoder.ipv6_in_ipv6 | RxPFR1 | 0
decoder.avg_pkt_size | RxPFR1 | 576
decoder.max_pkt_size | RxPFR1 | 1514
defrag.ipv4.fragments | RxPFR1 | 0
defrag.ipv4.reassembled | RxPFR1 | 0
defrag.ipv4.timeouts | RxPFR1 | 0
defrag.ipv6.fragments | RxPFR1 | 0
defrag.ipv6.reassembled | RxPFR1 | 0
defrag.ipv6.timeouts | RxPFR1 | 0
defrag.max_frag_hits | RxPFR1 | 0
tcp.sessions | Detect | 0
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 0
tcp.syn | Detect | 0
tcp.synack | Detect | 0
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 0
http.memcap | Detect | 0
detect.alert | Detect | 0
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7083232
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
-------------------------------------------------------------------
Date: 7/20/2015 -- 06:07:27 (uptime: 0d, 03h 19m 33s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPFR1 | 734
capture.kernel_drops | RxPFR1 | 0
dns.memuse | RxPFR1 | 1087
dns.memcap_state | RxPFR1 | 0
dns.memcap_global | RxPFR1 | 0
decoder.pkts | RxPFR1 | 759
decoder.bytes | RxPFR1 | 455498
decoder.invalid | RxPFR1 | 0
decoder.ipv4 | RxPFR1 | 734
decoder.ipv6 | RxPFR1 | 5
decoder.ethernet | RxPFR1 | 759
decoder.raw | RxPFR1 | 0
decoder.sll | RxPFR1 | 0
decoder.tcp | RxPFR1 | 674
decoder.udp | RxPFR1 | 33
decoder.sctp | RxPFR1 | 0
decoder.icmpv4 | RxPFR1 | 30
decoder.icmpv6 | RxPFR1 | 0
decoder.ppp | RxPFR1 | 0
decoder.pppoe | RxPFR1 | 0
decoder.gre | RxPFR1 | 0
decoder.vlan | RxPFR1 | 0
decoder.vlan_qinq | RxPFR1 | 0
decoder.teredo | RxPFR1 | 0
decoder.ipv4_in_ipv6 | RxPFR1 | 0
decoder.ipv6_in_ipv6 | RxPFR1 | 0
decoder.avg_pkt_size | RxPFR1 | 600
decoder.max_pkt_size | RxPFR1 | 1514
defrag.ipv4.fragments | RxPFR1 | 0
defrag.ipv4.reassembled | RxPFR1 | 0
defrag.ipv4.timeouts | RxPFR1 | 0
defrag.ipv6.fragments | RxPFR1 | 0
defrag.ipv6.reassembled | RxPFR1 | 0
defrag.ipv6.timeouts | RxPFR1 | 0
defrag.max_frag_hits | RxPFR1 | 0
tcp.sessions | Detect | 0
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 0
tcp.syn | Detect | 0
tcp.synack | Detect | 0
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 0
http.memcap | Detect | 0
detect.alert | Detect | 0
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7085536
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
-------------------------------------------------------------------
Date: 7/20/2015 -- 08:40:11 (uptime: 0d, 05h 52m 17s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPFR1 | 734
capture.kernel_drops | RxPFR1 | 0
dns.memuse | RxPFR1 | 1087
dns.memcap_state | RxPFR1 | 0
dns.memcap_global | RxPFR1 | 0
decoder.pkts | RxPFR1 | 759
decoder.bytes | RxPFR1 | 455498
decoder.invalid | RxPFR1 | 0
decoder.ipv4 | RxPFR1 | 734
decoder.ipv6 | RxPFR1 | 5
decoder.ethernet | RxPFR1 | 759
decoder.raw | RxPFR1 | 0
decoder.sll | RxPFR1 | 0
decoder.tcp | RxPFR1 | 674
decoder.udp | RxPFR1 | 33
decoder.sctp | RxPFR1 | 0
decoder.icmpv4 | RxPFR1 | 30
decoder.icmpv6 | RxPFR1 | 0
decoder.ppp | RxPFR1 | 0
decoder.pppoe | RxPFR1 | 0
decoder.gre | RxPFR1 | 0
decoder.vlan | RxPFR1 | 0
decoder.vlan_qinq | RxPFR1 | 0
decoder.teredo | RxPFR1 | 0
decoder.ipv4_in_ipv6 | RxPFR1 | 0
decoder.ipv6_in_ipv6 | RxPFR1 | 0
decoder.avg_pkt_size | RxPFR1 | 600
decoder.max_pkt_size | RxPFR1 | 1514
defrag.ipv4.fragments | RxPFR1 | 0
defrag.ipv4.reassembled | RxPFR1 | 0
defrag.ipv4.timeouts | RxPFR1 | 0
defrag.ipv6.fragments | RxPFR1 | 0
defrag.ipv6.reassembled | RxPFR1 | 0
defrag.ipv6.timeouts | RxPFR1 | 0
defrag.max_frag_hits | RxPFR1 | 0
tcp.sessions | Detect | 0
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 0
tcp.syn | Detect | 0
tcp.synack | Detect | 0
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 0
http.memcap | Detect | 0
detect.alert | Detect | 0
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7085536
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
-------------- next part --------------
root at ronin01:~# /usr/local/bin/suricata --build-info
This is Suricata version 2.0.8 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.4, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.17, linked against LibHTP v0.5.17
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: yes
NFQueue support: no
NFLOG support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: yes
Generic build parameters:
Installation prefix (--prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/
Log directory (--localstatedir) : /usr/local/var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
root at ronin01:~# /usr/local/bin/suricata -V
This is Suricata version 2.0.8 RELEASE
root at ronin01:~# /usr/local/bin/suricata --dump-config
21/7/2015 -- 05:03:57 - <Notice> - This is Suricata version 2.0.8 RELEASE
host-mode = auto
default-log-dir = /usr/local/var/log/suricata/
unix-command = (null)
unix-command.enabled = no
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = eve-log
outputs.1.eve-log = (null)
outputs.1.eve-log.enabled = yes
outputs.1.eve-log.type = file
outputs.1.eve-log.filename = eve.json
outputs.1.eve-log.types = (null)
outputs.1.eve-log.types.0 = alert
outputs.1.eve-log.types.1 = http
outputs.1.eve-log.types.1.http = (null)
outputs.1.eve-log.types.1.http.extended = yes
outputs.1.eve-log.types.2 = dns
outputs.1.eve-log.types.3 = tls
outputs.1.eve-log.types.3.tls = (null)
outputs.1.eve-log.types.3.tls.extended = yes
outputs.1.eve-log.types.4 = files
outputs.1.eve-log.types.4.files = (null)
outputs.1.eve-log.types.4.files.force-magic = no
outputs.1.eve-log.types.4.files.force-md5 = no
outputs.1.eve-log.types.5 = ssh
outputs.2 = unified2-alert
outputs.2.unified2-alert = (null)
outputs.2.unified2-alert.enabled = yes
outputs.2.unified2-alert.filename = unified2.alert
outputs.2.unified2-alert.xff = (null)
outputs.2.unified2-alert.xff.enabled = no
outputs.2.unified2-alert.xff.mode = extra-data
outputs.2.unified2-alert.xff.header = X-Forwarded-For
outputs.3 = http-log
outputs.3.http-log = (null)
outputs.3.http-log.enabled = yes
outputs.3.http-log.filename = http.log
outputs.3.http-log.append = yes
outputs.4 = tls-log
outputs.4.tls-log = (null)
outputs.4.tls-log.enabled = no
outputs.4.tls-log.filename = tls.log
outputs.4.tls-log.append = yes
outputs.4.tls-log.certs-log-dir = certs
outputs.5 = dns-log
outputs.5.dns-log = (null)
outputs.5.dns-log.enabled = no
outputs.5.dns-log.filename = dns.log
outputs.5.dns-log.append = yes
outputs.6 = pcap-info
outputs.6.pcap-info = (null)
outputs.6.pcap-info.enabled = no
outputs.7 = pcap-log
outputs.7.pcap-log = (null)
outputs.7.pcap-log.enabled = no
outputs.7.pcap-log.filename = log.pcap
outputs.7.pcap-log.limit = 1000mb
outputs.7.pcap-log.max-files = 2000
outputs.7.pcap-log.mode = normal
outputs.7.pcap-log.use-stream-depth = no
outputs.8 = alert-debug
outputs.8.alert-debug = (null)
outputs.8.alert-debug.enabled = no
outputs.8.alert-debug.filename = alert-debug.log
outputs.8.alert-debug.append = yes
outputs.9 = alert-prelude
outputs.9.alert-prelude = (null)
outputs.9.alert-prelude.enabled = no
outputs.9.alert-prelude.profile = suricata
outputs.9.alert-prelude.log-packet-content = no
outputs.9.alert-prelude.log-packet-header = yes
outputs.10 = stats
outputs.10.stats = (null)
outputs.10.stats.enabled = yes
outputs.10.stats.filename = stats.log
outputs.10.stats.interval = 8
outputs.11 = syslog
outputs.11.syslog = (null)
outputs.11.syslog.enabled = no
outputs.11.syslog.facility = local5
outputs.12 = drop
outputs.12.drop = (null)
outputs.12.drop.enabled = no
outputs.12.drop.filename = drop.log
outputs.12.drop.append = yes
outputs.13 = file-store
outputs.13.file-store = (null)
outputs.13.file-store.enabled = no
outputs.13.file-store.log-dir = files
outputs.13.file-store.force-magic = no
outputs.13.file-store.force-md5 = no
outputs.14 = file-log
outputs.14.file-log = (null)
outputs.14.file-log.enabled = no
outputs.14.file-log.filename = files-json.log
outputs.14.file-log.append = yes
outputs.14.file-log.force-magic = no
outputs.14.file-log.force-md5 = no
magic-file = /usr/share/file/magic
nfq =
nflog = (null)
nflog.0 = group
nflog.0.group = 2
nflog.0.buffer-size = 18432
nflog.1 = group
nflog.1.group = default
nflog.1.qthreshold = 1
nflog.1.qtimeout = 100
nflog.1.max-size = 20000
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth0
af-packet.0.threads = 1
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.0.use-mmap = yes
af-packet.1 = interface
af-packet.1.interface = eth1
af-packet.1.threads = 1
af-packet.1.cluster-id = 98
af-packet.1.cluster-type = cluster_flow
af-packet.1.defrag = yes
af-packet.2 = interface
af-packet.2.interface = default
legacy = (null)
legacy.uricontent = enabled
detect-engine = (null)
detect-engine.0 = profile
detect-engine.0.profile = medium
detect-engine.1 = custom-values
detect-engine.1.custom-values = (null)
detect-engine.1.custom-values.toclient-src-groups = 2
detect-engine.1.custom-values.toclient-dst-groups = 2
detect-engine.1.custom-values.toclient-sp-groups = 2
detect-engine.1.custom-values.toclient-dp-groups = 3
detect-engine.1.custom-values.toserver-src-groups = 2
detect-engine.1.custom-values.toserver-dst-groups = 4
detect-engine.1.custom-values.toserver-sp-groups = 2
detect-engine.1.custom-values.toserver-dp-groups = 25
detect-engine.2 = sgh-mpm-context
detect-engine.2.sgh-mpm-context = auto
detect-engine.3 = inspection-recursion-limit
detect-engine.3.inspection-recursion-limit = 3000
detect-engine.4 = rule-reload
detect-engine.4.rule-reload = true
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = decode-cpu-set
threading.cpu-affinity.2.decode-cpu-set = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu = (null)
threading.cpu-affinity.2.decode-cpu-set.cpu.0 = 0
threading.cpu-affinity.2.decode-cpu-set.cpu.1 = 1
threading.cpu-affinity.2.decode-cpu-set.mode = balanced
threading.cpu-affinity.3 = stream-cpu-set
threading.cpu-affinity.3.stream-cpu-set = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu = (null)
threading.cpu-affinity.3.stream-cpu-set.cpu.0 = 0-1
threading.cpu-affinity.4 = detect-cpu-set
threading.cpu-affinity.4.detect-cpu-set = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu = (null)
threading.cpu-affinity.4.detect-cpu-set.cpu.0 = all
threading.cpu-affinity.4.detect-cpu-set.mode = exclusive
threading.cpu-affinity.4.detect-cpu-set.prio = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.low.0 = 0
threading.cpu-affinity.4.detect-cpu-set.prio.medium = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.4.detect-cpu-set.prio.high = (null)
threading.cpu-affinity.4.detect-cpu-set.prio.high.0 = 3
threading.cpu-affinity.4.detect-cpu-set.prio.default = medium
threading.cpu-affinity.5 = verdict-cpu-set
threading.cpu-affinity.5.verdict-cpu-set = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu = (null)
threading.cpu-affinity.5.verdict-cpu-set.cpu.0 = 0
threading.cpu-affinity.5.verdict-cpu-set.prio = (null)
threading.cpu-affinity.5.verdict-cpu-set.prio.default = high
threading.cpu-affinity.6 = reject-cpu-set
threading.cpu-affinity.6.reject-cpu-set = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu = (null)
threading.cpu-affinity.6.reject-cpu-set.cpu.0 = 0
threading.cpu-affinity.6.reject-cpu-set.prio = (null)
threading.cpu-affinity.6.reject-cpu-set.prio.default = low
threading.cpu-affinity.7 = output-cpu-set
threading.cpu-affinity.7.output-cpu-set = (null)
threading.cpu-affinity.7.output-cpu-set.cpu = (null)
threading.cpu-affinity.7.output-cpu-set.cpu.0 = all
threading.cpu-affinity.7.output-cpu-set.prio = (null)
threading.cpu-affinity.7.output-cpu-set.prio.default = medium
threading.detect-thread-ratio = 1.5
cuda = (null)
cuda.mpm = (null)
cuda.mpm.data-buffer-size-min-limit = 0
cuda.mpm.data-buffer-size-max-limit = 1500
cuda.mpm.cudabuffer-buffer-size = 500mb
cuda.mpm.gpu-transfer-size = 50mb
cuda.mpm.batching-timeout = 2000
cuda.mpm.device-id = 0
cuda.mpm.cuda-streams = 2
mpm-algo = ac
pattern-matcher = (null)
pattern-matcher.0 = b2gc
pattern-matcher.0.b2gc = (null)
pattern-matcher.0.b2gc.search-algo = B2gSearchBNDMq
pattern-matcher.0.b2gc.hash-size = low
pattern-matcher.0.b2gc.bf-size = medium
pattern-matcher.1 = b2gm
pattern-matcher.1.b2gm = (null)
pattern-matcher.1.b2gm.search-algo = B2gSearchBNDMq
pattern-matcher.1.b2gm.hash-size = low
pattern-matcher.1.b2gm.bf-size = medium
pattern-matcher.2 = b2g
pattern-matcher.2.b2g = (null)
pattern-matcher.2.b2g.search-algo = B2gSearchBNDMq
pattern-matcher.2.b2g.hash-size = low
pattern-matcher.2.b2g.bf-size = medium
pattern-matcher.3 = b3g
pattern-matcher.3.b3g = (null)
pattern-matcher.3.b3g.search-algo = B3gSearchBNDMq
pattern-matcher.3.b3g.hash-size = low
pattern-matcher.3.b3g.bf-size = medium
pattern-matcher.4 = wumanber
pattern-matcher.4.wumanber = (null)
pattern-matcher.4.wumanber.hash-size = low
pattern-matcher.4.wumanber.bf-size = medium
defrag = (null)
defrag.memcap = 32mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 64mb
flow.hash-size = 65536
flow.prealloc = 10000
flow.emergency-recovery = 30
vlan = (null)
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 30
flow-timeouts.default.established = 300
flow-timeouts.default.closed = 0
flow-timeouts.default.emergency-new = 10
flow-timeouts.default.emergency-established = 100
flow-timeouts.default.emergency-closed = 0
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 60
flow-timeouts.tcp.established = 3600
flow-timeouts.tcp.closed = 120
flow-timeouts.tcp.emergency-new = 10
flow-timeouts.tcp.emergency-established = 300
flow-timeouts.tcp.emergency-closed = 20
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 30
flow-timeouts.udp.established = 300
flow-timeouts.udp.emergency-new = 10
flow-timeouts.udp.emergency-established = 100
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 30
flow-timeouts.icmp.established = 300
flow-timeouts.icmp.emergency-new = 10
flow-timeouts.icmp.emergency-established = 100
stream = (null)
stream.memcap = 32mb
stream.checksum-validation = yes
stream.inline = auto
stream.reassembly = (null)
stream.reassembly.memcap = 128mb
stream.reassembly.depth = 1mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 16777216
logging = (null)
logging.default-log-level = notice
logging.default-output-filter =
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = no
logging.outputs.1.file.filename = /var/log/suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> --
mpipe = (null)
mpipe.load-balance = dynamic
mpipe.iqueue-packets = 2048
mpipe.inputs = (null)
mpipe.inputs.0 = interface
mpipe.inputs.0.interface = xgbe2
mpipe.inputs.1 = interface
mpipe.inputs.1.interface = xgbe3
mpipe.inputs.2 = interface
mpipe.inputs.2.interface = xgbe4
mpipe.stack = (null)
mpipe.stack.size128 = 0
mpipe.stack.size256 = 9
mpipe.stack.size512 = 0
mpipe.stack.size1024 = 0
mpipe.stack.size1664 = 7
mpipe.stack.size4096 = 0
mpipe.stack.size10386 = 0
mpipe.stack.size16384 = 0
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = 1
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = default
pcap = (null)
pcap.0 = interface
pcap.0.interface = eth0
pcap.1 = interface
pcap.1.interface = default
pcap-file = (null)
pcap-file.checksum-checks = auto
ipfw =
default-rule-path = /usr/local/etc/suricata/rules
rule-files = (null)
rule-files.0 = botcc.rules
rule-files.1 = ciarmy.rules
rule-files.2 = compromised.rules
rule-files.3 = drop.rules
rule-files.4 = dshield.rules
rule-files.5 = emerging-activex.rules
rule-files.6 = emerging-attack_response.rules
rule-files.7 = emerging-chat.rules
rule-files.8 = emerging-current_events.rules
rule-files.9 = emerging-dns.rules
rule-files.10 = emerging-dos.rules
rule-files.11 = emerging-exploit.rules
rule-files.12 = emerging-ftp.rules
rule-files.13 = emerging-games.rules
rule-files.14 = emerging-icmp_info.rules
rule-files.15 = emerging-imap.rules
rule-files.16 = emerging-inappropriate.rules
rule-files.17 = emerging-malware.rules
rule-files.18 = emerging-misc.rules
rule-files.19 = emerging-mobile_malware.rules
rule-files.20 = emerging-netbios.rules
rule-files.21 = emerging-p2p.rules
rule-files.22 = emerging-policy.rules
rule-files.23 = emerging-pop3.rules
rule-files.24 = emerging-rpc.rules
rule-files.25 = emerging-scada.rules
rule-files.26 = emerging-scan.rules
rule-files.27 = emerging-shellcode.rules
rule-files.28 = emerging-smtp.rules
rule-files.29 = emerging-snmp.rules
rule-files.30 = emerging-sql.rules
rule-files.31 = emerging-telnet.rules
rule-files.32 = emerging-tftp.rules
rule-files.33 = emerging-trojan.rules
rule-files.34 = emerging-user_agents.rules
rule-files.35 = emerging-voip.rules
rule-files.36 = emerging-web_client.rules
rule-files.37 = emerging-web_server.rules
rule-files.38 = emerging-web_specific_apps.rules
rule-files.39 = emerging-worm.rules
rule-files.40 = files.rules
rule-files.41 = icmp.rules
rule-files.42 = tor.rules
rule-files.43 = decoder-events.rules
rule-files.44 = stream-events.rules
rule-files.45 = http-events.rules
rule-files.46 = smtp-events.rules
rule-files.47 = dns-events.rules
rule-files.48 = tls-events.rules
classification-file = /usr/local/etc/suricata/classification.config
reference-config-file = /usr/local/etc/suricata/reference.config
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = 80
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
action-order = (null)
action-order.0 = pass
action-order.1 = drop
action-order.2 = reject
action-order.3 = alert
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.linux.0 = 10.0.0.0/8
host-os-policy.linux.1 = 192.168.1.100
host-os-policy.linux.2 = 8762:2352:6241:7245:E000:0000:0000:0000
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.solaris.0 = ::1
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
asn1-max-frames = 256
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
app-layer = (null)
app-layer.protocols = (null)
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443
app-layer.protocols.dcerpc = (null)
app-layer.protocols.dcerpc.enabled = yes
app-layer.protocols.ftp = (null)
app-layer.protocols.ftp.enabled = yes
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
app-layer.protocols.smtp = (null)
app-layer.protocols.smtp.enabled = yes
app-layer.protocols.imap = (null)
app-layer.protocols.imap.enabled = detection-only
app-layer.protocols.msn = (null)
app-layer.protocols.msn.enabled = detection-only
app-layer.protocols.smb = (null)
app-layer.protocols.smb.enabled = yes
app-layer.protocols.smb.detection-ports = (null)
app-layer.protocols.smb.detection-ports.dp = 139
app-layer.protocols.dns = (null)
app-layer.protocols.dns.tcp = (null)
app-layer.protocols.dns.tcp.enabled = yes
app-layer.protocols.dns.tcp.detection-ports = (null)
app-layer.protocols.dns.tcp.detection-ports.dp = 53
app-layer.protocols.dns.udp = (null)
app-layer.protocols.dns.udp.enabled = yes
app-layer.protocols.dns.udp.detection-ports = (null)
app-layer.protocols.dns.udp.detection-ports.dp = 53
app-layer.protocols.http = (null)
app-layer.protocols.http.enabled = yes
app-layer.protocols.http.libhtp = (null)
app-layer.protocols.http.libhtp.default-config = (null)
app-layer.protocols.http.libhtp.default-config.personality = IDS
app-layer.protocols.http.libhtp.default-config.request-body-limit = 1mb
app-layer.protocols.http.libhtp.default-config.response-body-limit = 1mb
app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.double-decode-path = no
app-layer.protocols.http.libhtp.default-config.double-decode-query = no
app-layer.protocols.http.libhtp.server-config =
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.sort = avgticks
profiling.rules.limit = 100
profiling.keywords = (null)
profiling.keywords.enabled = yes
profiling.keywords.filename = keyword_perf.log
profiling.keywords.append = yes
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = packet_stats.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = lock_stats.log
profiling.locks.append = yes
coredump = (null)
coredump.max-dump = unlimited
napatech = (null)
napatech.hba = -1
napatech.use-all-streams = yes
napatech.streams = (null)
napatech.streams.0 = 1
napatech.streams.1 = 2
napatech.streams.2 = 3
root at ronin01:~#
More information about the Oisf-users
mailing list