[Oisf-users] Problem when testing Suricata on an ARMv7 based board
Mahdi Aichouch
foxmehdi at gmail.com
Wed Nov 25 13:48:50 UTC 2015
Hello,
Thank you Peter for your answer.
>judging by the output above - for 19 min you have seen 0 packets on
>that sniffing interface - is that really the case?
That's it, this is what I get after running Surricata in my first test.
However, knowing that there is no http packets that are sent to or received
from the embedded Linux running on the board, I added the below rule to
/etc/surricata/rules/http.log rules file to catch simple packets sent to
the board using a ping:
alert icmp any any -> 10.8.33.200 any (msg:"ICMP packet detected";
sid:2250010; rev:1;)
After that, I executed a ping command from my host.
$> ping -c3 10.8.33.200
PING 10.8.33.200 (10.8.33.200) 56(84) bytes of data.
64 bytes from 10.8.33.200: icmp_req=1 ttl=64 time=0.233 ms
64 bytes from 10.8.33.200: icmp_req=2 ttl=64 time=0.262 ms
64 bytes from 10.8.33.200: icmp_req=3 ttl=64 time=0.225 ms
--- 10.8.33.200 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.225/0.240/0.262/0.015 ms
Then, I check the /tmp/surricata/fast.log, and I get the following results
/ # tail /tmp/suricata/fast.log
01/01/1970-00:09:06.832000 [**] [1:2250010:1] ICMP packet detected [**]
[Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
01/01/1970-00:09:11.619000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type
[**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00
01/01/1970-00:09:11.619000 [**] [1:2200094:1] SURICATA zero length padN
option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000
01/01/1970-00:09:11.619000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type
[**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00
01/01/1970-00:09:11.619000 [**] [1:2200094:1] SURICATA zero length padN
option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000
01/01/1970-00:09:11.620000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type
[**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00
01/01/1970-00:09:11.620000 [**] [1:2200094:1] SURICATA zero length padN
option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000
01/01/1970-00:10:39.811000 [**] [1:2250010:1] ICMP packet detected [**]
[Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
01/01/1970-00:10:40.811000 [**] [1:2250010:1] ICMP packet detected [**]
[Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
01/01/1970-00:10:41.811000 [**] [1:2250010:1] ICMP packet detected [**]
[Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
As we can see, there is a three packet detected by Surricata.
Then, after looking at the stats, I get these results:
/ # tail /tmp/suricata/stats.log
/ # tail -n 50 /tmp/suricata/stats.log
decoder.icmpv4 | Total | 27
decoder.icmpv6 | Total | 440
decoder.ppp | Total | 0
decoder.pppoe | Total | 0
decoder.gre | Total | 0
decoder.vlan | Total | 0
decoder.vlan_qinq | Total | 0
decoder.teredo | Total | 0
decoder.ipv4_in_ipv6 | Total | 0
decoder.ipv6_in_ipv6 | Total | 0
decoder.mpls | Total | 0
decoder.avg_pkt_size | Total | 142
decoder.max_pkt_size | Total | 1506
decoder.erspan | Total | 0
flow.memcap | Total | 0
defrag.ipv4.fragments | Total | 0
defrag.ipv4.reassembled | Total | 0
defrag.ipv4.timeouts | Total | 0
defrag.ipv6.fragments | Total | 0
defrag.ipv6.reassembled | Total | 0
defrag.ipv6.timeouts | Total | 0
defrag.max_frag_hits | Total | 0
tcp.sessions | Total | 0
tcp.ssn_memcap_drop | Total | 0
tcp.pseudo | Total | 0
tcp.pseudo_failed | Total | 0
tcp.invalid_checksum | Total | 0
tcp.no_flow | Total | 0
tcp.syn | Total | 0
tcp.synack | Total | 0
tcp.rst | Total | 1
tcp.segment_memcap_drop | Total | 0
tcp.stream_depth_reached | Total | 0
tcp.reassembly_gap | Total | 0
detect.alert | Total | 109
flow_mgr.closed_pruned | Total | 0
flow_mgr.new_pruned | Total | 2682
flow_mgr.est_pruned | Total | 0
flow.spare | Total | 10000
flow.emerg_mode_entered | Total | 0
flow.emerg_mode_over | Total | 0
flow.tcp_reuse | Total | 0
tcp.memuse | Total | 286720
tcp.reassembly_memuse | Total | 12244864
dns.memuse | Total | 0
dns.memcap_state | Total | 0
dns.memcap_global | Total | 0
http.memuse | Total | 0
http.memcap | Total | 0
flow.memuse | Total | 6416964
Could you please tell me if everything is correct in my test case.
Thank you very much for your in advance.
Best regards,
Mahdi
On Tue, Nov 17, 2015 at 11:35 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Tue, Nov 10, 2015 at 2:34 PM, Mahdi Aichouch <foxmehdi at gmail.com>
> wrote:
> > Hello,
> >
> > First of all, thank you very much for all your answers!
> >
> > It is difficult in my case to compile Suricata directly on the board,
> > because I don't have a full fledged Linux distribution such as Debian or
> > Ubuntu... installed on my board.
> > Instead, I am running a para-virtualized L4Linux kernel with a minimal
> root
> > file system (RAMdisk) built using Buildroot.
> >
> > So, I don't have access to a package manager to download and install all
> > libraries that Suricata depends on.
> > When I cross-compiled, I manually downloaded and compiled all the
> binaries
> > of the required libraries before building Suricata.
> >
> > After activating the verbose option I was able to see that there was a
> > missing file.
> > Such as the /usr/share/file/magic.mgc, needed by functions in
> > utile-magic.c.
> >
> > Then, after adding all missing configuration files, I was able to
> > successfully run Surricata on an ARMv7 board.
> >
> > $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -s
> > signatures -v &
> >
> > / # [44] 1/1/1970 -- 00:02:32 - (suricata.c:1073) <Notice>
> (SCPrintVersion)
> > -- This is Suricata version 2.1dev (rev 86711a1)
> > [44] 1/1/1970 -- 00:02:32 - (util-cpu.c:170) <Info>
> (UtilCpuPrintSummary) --
> > CPUs/cores online: 1
> > [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2255) <Info>
> > (HTPConfigSetDefaultsPhase2) -- 'default' server has
> > 'request-body-minimal-inspect-size' set to 33882 and
> > 'request-body-inspect-window' set to 4053.
> > [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2270) <Info>
> > (HTPConfigSetDefaultsPhase2) -- 'default' server has
> > 'response-body-minimal-inspect-size' set to 33695 and
> > 'response-body-inspect-window' set to 42.
> > [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:337) <Info>
> > (DNSUDPConfigure) -- DNS request flood protection level: 500
> > [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:349) <Info>
> > (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
> > [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:361) <Info>
> > (DNSUDPConfigure) -- DNS global memcap: 16777216
> > [44] 1/1/1970 -- 00:02:32 - (app-layer-modbus.c:1457) <Info>
> > (RegisterModbusParsers) -- Modbus request flood protection level: 500
> > [44] 1/1/1970 -- 00:02:32 - (util-ioctl.c:100) <Info> (GetIfaceMTU) --
> Found
> > an MTU of 1500 for 'eth0'
> > [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:209) <Info>
> (DefragInitConfig) --
> > allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of
> > size 32
> > [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:234) <Info>
> (DefragInitConfig) --
> > preallocated 65535 defrag trackers of size 120
> > [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:241) <Info>
> (DefragInitConfig) --
> > defrag memory usage: 9961352 bytes, maximum: 33554432
> > [44] 1/1/1970 -- 00:02:32 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) --
> > AutoFP mode using default "Active Packets" flow load balancer
> > [44] 1/1/1970 -- 00:02:32 - (host.c:215) <Info> (HostInitConfig) --
> > allocated 262144 bytes of memory for the host hash... 4096 buckets of
> size
> > 64
> > [44] 1/1/1970 -- 00:02:32 - (host.c:238) <Info> (HostInitConfig) --
> > preallocated 1000 hosts of size 88
> > [44] 1/1/1970 -- 00:02:32 - (host.c:240) <Info> (HostInitConfig) -- host
> > memory usage: 350144 bytes, maximum: 16777216
> > [44] 1/1/1970 -- 00:02:32 - (flow.c:441) <Info> (FlowInitConfig) --
> > allocated 4194304 bytes of memory for the flow hash... 65536 buckets of
> size
> > 64
> > [44] 1/1/1970 -- 00:02:32 - (flow.c:465) <Info> (FlowInitConfig) --
> > preallocated 10000 flows of size 220
> > [44] 1/1/1970 -- 00:02:32 - (flow.c:467) <Info> (FlowInitConfig) -- flow
> > memory usage: 6394304 bytes, maximum: 67108864
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:377) <Info>
> (StreamTcpInitConfig)
> > -- stream "prealloc-sessions": 2048 (per thread)
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:393) <Info>
> (StreamTcpInitConfig)
> > -- stream "memcap": 33554432
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:399) <Info>
> (StreamTcpInitConfig)
> > -- stream "midstream" session pickups: disabled
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:405) <Info>
> (StreamTcpInitConfig)
> > -- stream "async-oneside": disabled
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:422) <Info>
> (StreamTcpInitConfig)
> > -- stream "checksum-validation": enabled
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:444) <Info>
> (StreamTcpInitConfig)
> > -- stream."inline": disabled
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:457) <Info>
> (StreamTcpInitConfig)
> > -- stream "max-synack-queued": 5
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:475) <Info>
> (StreamTcpInitConfig)
> > -- stream.reassembly "memcap": 134217728
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:493) <Info>
> (StreamTcpInitConfig)
> > -- stream.reassembly "depth": 1048576
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:576) <Info>
> (StreamTcpInitConfig)
> > -- stream.reassembly "toserver-chunk-size": 2549
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:578) <Info>
> (StreamTcpInitConfig)
> > -- stream.reassembly "toclient-chunk-size": 2501
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:591) <Info>
> (StreamTcpInitConfig)
> > -- stream.reassembly.raw: enabled
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:487) <Info>
> > (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:500) <Info>
> > (StreamTcpReassemblyConfig) -- stream.reassembly "zero-copy-size": 128
> > [44] 1/1/1970 -- 00:02:32 - (ippair.c:211) <Info> (IPPairInitConfig) --
> > allocated 262144 bytes of memory for the ippair hash... 4096 buckets of
> size
> > 64
> > [44] 1/1/1970 -- 00:02:32 - (ippair.c:234) <Info> (IPPairInitConfig) --
> > preallocated 1000 ippairs of size 96
> > [44] 1/1/1970 -- 00:02:32 - (ippair.c:236) <Info> (IPPairInitConfig) --
> > ippair memory usage: 358144 bytes, maximum: 16777216
> > [44] 1/1/1970 -- 00:02:32 - (util-magic.c:62) <Info> (MagicInit) -- using
> > magic-file /usr/share/file/magic
> > [44] 1/1/1970 -- 00:02:32 - (suricata.c:1942) <Info>
> (SetupDelayedDetect) --
> > Delayed detect disabled
> > [44] 1/1/1970 -- 00:02:32 - (reputation.c:620) <Info> (SRepInit) -- IP
> > reputation disabled
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/botcc.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/ciarmy.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/compromised.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/drop.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/dshield.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-activex.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-attack_response.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-chat.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-current_events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-dns.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-dos.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-exploit.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-ftp.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-games.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-icmp_info.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-imap.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-inappropriate.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-malware.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-misc.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-mobile_malware.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-netbios.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-p2p.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-policy.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-pop3.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-rpc.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-scada.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-scan.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-shellcode.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-smtp.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-snmp.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-sql.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-telnet.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-tftp.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-trojan.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-user_agents.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-voip.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-web_client.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-web_server.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-web_specific_apps.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/emerging-worm.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> > /etc/suricata/rules/tor.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/decoder-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/stream-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/http-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/smtp-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/dns-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/tls-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/modbus-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
> > Loading rule file: /etc/suricata/rules/app-layer-events.rules
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles) --
> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
> signatures
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:523) <Info> (SigLoadSignatures) --
> 50
> > rule files processed. 236 rules successfully loaded, 0 rules failed
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:2987) <Info>
> (SigAddressPrepareStage1)
> > -- 236 signatures processed. 0 are IP-only rules, 0 are inspecting packet
> > payload, 74 inspect application layer, 99 are decoder y
> > [44] 1/1/1970 -- 00:02:32 - (detect.c:2990) <Info>
> (SigAddressPrepareStage1)
> > -- building signature grouping structure, stage 1: preprocessing rules...
> > complete
> > [44] 1/1/1970 -- 00:02:33 - (detect.c:3623) <Info>
> (SigAddressPrepareStage2)
> > -- building signature grouping structure, stage 2: building source
> address
> > list... complete
> > [44] 1/1/1970 -- 00:02:33 - (detect.c:4148) <Info>
> (SigAddressPrepareStage3)
> > -- building signature grouping structure, stage 3: building destination
> > address lists... complete
> > [44] 1/1/1970 -- 00:02:33 - (util-threshold-config.c:1188) <Info>
> > (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
> > [44] 1/1/1970 -- 00:02:33 - (util-coredump-config.c:122) <Info>
> > (CoredumpLoadConfig) -- Core dump size set to unlimited.
> > [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
> > (SCConfLogOpenGeneric) -- fast output device (regular) initialized:
> fast.log
> > [44] 1/1/1970 -- 00:02:33 - (runmodes.c:739) <Warning>
> > (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] -
> Eve-log
> > support not compiled in. Reconfigure/recompile with libjansson and its
> de.
> > [44] 1/1/1970 -- 00:02:33 - (alert-unified2-alert.c:1353) <Info>
> > (Unified2AlertInitCtx) -- Unified2-alert initialized: filename
> > unified2.alert, limit 32 MB
> > [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
> > (SCConfLogOpenGeneric) -- http-log output device (regular) initialized:
> > http.log
> > [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
> > (SCConfLogOpenGeneric) -- stats output device (regular) initialized:
> > stats.log
> > [44] 1/1/1970 -- 00:02:33 - (util-runmodes.c:189) <Info>
> > (RunModeSetLiveCaptureAutoFp) -- Using 1 live device(s).
> > [45] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info>
> (PacketPoolInit)
> > -- preallocated 1024 packets. Total memory 2887680
> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:393) <Info>
> > (ReceivePcapThreadInit) -- using interface eth0
> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:398) <Info>
> > (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
> > interface state will require 1000 packets.
> > [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:100) <Info> (GetIfaceMTU) --
> Found
> > an MTU of 1500 for 'eth0'
> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:433) <Info>
> > (ReceivePcapThreadInit) -- Set snaplen to 1516 for 'eth0'
> > device eth0 entered promiscuous mode
> > [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:178) <Info>
> (GetIfaceOffloading)
> > -- Generic Receive Offload is set on eth0
> > [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:200) <Info>
> (GetIfaceOffloading)
> > -- Large Receive Offload is unset on eth0
> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:516) <Warning>
> > (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap
> > capture with GRO or LRO activated can lead to capture problems.
> > [44] 1/1/1970 -- 00:02:33 - (runmode-pcap.c:293) <Info>
> > (RunModeIdsPcapAutoFp) -- RunModeIdsPcapAutoFp initialised
> > [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:721) <Info>
> > (FlowManagerThreadSpawn) -- using 1 flow manager threads
> > [47] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info>
> (PacketPoolInit)
> > -- preallocated 1024 packets. Total memory 2887680
> > [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:881) <Info>
> > (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
> > [44] 1/1/1970 -- 00:02:33 - (tm-threads.c:2001) <Notice>
> > (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4
> management
> > threads initialized, engine started.
> >
> > As we can see from the debug messages, there is still one Warning
> message.
> >
> > Running this command: "/ # tail /var/log/suricata/http.log" gives
> nothing!
> >
> > Running this command: "/ # tail -n 50 /var/log/suricata/stats.log" gives
> the
> > following logs:
> >
> > defrag.ipv6.fragments | Total | 0
> > defrag.ipv6.reassembled | Total | 0
> > defrag.ipv6.timeouts | Total | 0
> > defrag.max_frag_hits | Total | 0
> > tcp.sessions | Total | 0
> > tcp.ssn_memcap_drop | Total | 0
> > tcp.pseudo | Total | 0
> > tcp.pseudo_failed | Total | 0
> > tcp.invalid_checksum | Total | 0
> > tcp.no_flow | Total | 0
> > tcp.syn | Total | 0
> > tcp.synack | Total | 0
> > tcp.rst | Total | 0
> > tcp.segment_memcap_drop | Total | 0
> > tcp.stream_depth_reached | Total | 0
> > tcp.reassembly_gap | Total | 0
> > detect.alert | Total | 0
> > flow_mgr.closed_pruned | Total | 0
> > flow_mgr.new_pruned | Total | 0
> > flow_mgr.est_pruned | Total | 0
> > flow.spare | Total | 10000
> > flow.emerg_mode_entered | Total | 0
> > flow.emerg_mode_over | Total | 0
> > flow.tcp_reuse | Total | 0
> > tcp.memuse | Total | 286720
> > tcp.reassembly_memuse | Total | 12244864
> > dns.memuse | Total | 0
> > dns.memcap_state | Total | 0
> > dns.memcap_global | Total | 0
> > http.memuse | Total | 0
> > http.memcap | Total | 0
> > flow.memuse | Total | 6394304
> > -------------------------------------------------------------------
> > Date: 11/10/2015 -- 11:35:42 (uptime: 0d, 00h 19m 28s)
> > -------------------------------------------------------------------
> > Counter | TM Name | Value
> > -------------------------------------------------------------------
> > capture.kernel_packets | Total | 0
> > capture.kernel_drops | Total | 0
>
> judging by the output above - for 19 min you have seen 0 packets on
> that sniffing interface - is that really the case?
>
> > capture.kernel_ifdrops | Total | 0
> > decoder.pkts | Total | 0
> > decoder.bytes | Total | 0
> > decoder.invalid | Total | 0
> > decoder.ipv4 | Total | 0
> > decoder.ipv6 | Total | 0
> > decoder.ethernet | Total | 0
> > decoder.raw | Total | 0
> > decoder.null | Total | 0
> > decoder.sll | Total | 0
> >
> >
> > Is it possible to tell me if everything is correct?
> >
> > Is there any test case that gives more explicit results?
> >
> > Thank you very much in advance.
> >
> > Best regards,
> > Mahdi
> >
> >
> > On Tue, Nov 10, 2015 at 8:55 AM, Scott Prader <rigrunn at gmail.com> wrote:
> >>
> >> I have compiled suricata on an armv6h, but did not cross-compile it. I
> >> compiled it natively and it worked fine. It took some time, so I found
> >> something else to do while it compiled.
> >>
> >> On Nov 10, 2015 1:47 AM, "Victor Julien" <lists at inliniac.net> wrote:
> >>>
> >>> On 10-11-15 08:46, Anoop Saldanha wrote:
> >>>>
> >>>> On Tue, Nov 10, 2015 at 12:59 PM, Anoop Saldanha
> >>>> <anoopsaldanha at gmail.com> wrote:
> >>>>>
> >>>>> On Mon, Nov 9, 2015 at 11:06 PM, Peter Manev <petermanev at gmail.com>
> >>>>> wrote:
> >>>>>>
> >>>>>> On Mon, Nov 9, 2015 at 3:00 PM, Mahdi Aichouch <foxmehdi at gmail.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> Hello,
> >>>>>>>
> >>>>>>> I am trying to run Suricata on an ARMv7 architecture based board.
> >>>>>>>
> >>>>>>> After, I had successfully cross-compiled Suricata for my target, I
> >>>>>>> tried to
> >>>>>>> run Suricata on the board but I got an Aborted fault.
> >>>>>>>
> >>>>>>> Below is the command that I used in my test:
> >>>>>>>
> >>>>>>> $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i
> >>>>>>> eth0
> >>>>>>> --init-errors-fatal
> >>>>>>
> >>>>>>
> >>>>>> Can you try adding the "-v" switch for more verbose output -
> >>>>>> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
> >>>>>> --init-errors-fatal -v
> >>>>>>
> >>>>>>>
> >>>>>>> [35] 1/1/1970 -- 00:02:03 - (suricata.c:1073) <Notice>
> >>>>>>> (SCPrintVersion) --
> >>>>>>> This is Suricata version 2.1dev (rev 86711a1)
> >>>>>>> Aborted.
> >>>>>>>
> >>>>>>> No further message are printed on the terminal.
> >>>>>>>
> >>>>>>> Could someone help me in figuring out what causes this issue.
> >>>>>
> >>>>>
> >>>>> Trouble with some instructions generated for your architecture most
> >>>>> likely. I would first try and make sure that I have cross compiled
> >>>>> directly, and then zero in on the instructions generated by the
> >>>>> compiler and make sure it is present ARMv7's ISA.
> >>>>>
> >>>>
> >>>> My previous reply - s/cross compiled directly/cross compiled
> correctly/g
> >>>>
> >>>> As a later step on figuring out the instructions, you can look at the
> >>>> kernel/system logs to figure out the instructions that caused the
> >>>> error.
> >>>>
> >>>
> >>> Don't forget passing --disable-gccmarch-native to configure before
> >>> compiling.
> >>>
> >>> --
> >>> ---------------------------------------------
> >>> Victor Julien
> >>> http://www.inliniac.net/
> >>> PGP: http://www.inliniac.net/victorjulien.asc
> >>> ---------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> Suricata User Conference November 4 & 5 in Barcelona:
> >>> http://oisfevents.net
> >>
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> Suricata User Conference November 4 & 5 in Barcelona:
> >> http://oisfevents.net
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151125/53bbc2bd/attachment-0002.html>
More information about the Oisf-users
mailing list