[Oisf-users] Problem when testing Suricata on an ARMv7 based board
Peter Manev
petermanev at gmail.com
Sat Nov 28 10:11:53 UTC 2015
On Wed, Nov 25, 2015 at 2:48 PM, Mahdi Aichouch <foxmehdi at gmail.com> wrote:
> Hello,
>
> Thank you Peter for your answer.
>
>>judging by the output above - for 19 min you have seen 0 packets on
>>that sniffing interface - is that really the case?
>
> That's it, this is what I get after running Surricata in my first test.
>
> However, knowing that there is no http packets that are sent to or received
> from the embedded Linux running on the board, I added the below rule to
> /etc/surricata/rules/http.log rules file to catch simple packets sent to
> the board using a ping:
>
> alert icmp any any -> 10.8.33.200 any (msg:"ICMP packet detected";
> sid:2250010; rev:1;)
>
> After that, I executed a ping command from my host.
>
> $> ping -c3 10.8.33.200
> PING 10.8.33.200 (10.8.33.200) 56(84) bytes of data.
> 64 bytes from 10.8.33.200: icmp_req=1 ttl=64 time=0.233 ms
> 64 bytes from 10.8.33.200: icmp_req=2 ttl=64 time=0.262 ms
> 64 bytes from 10.8.33.200: icmp_req=3 ttl=64 time=0.225 ms
>
> --- 10.8.33.200 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 1998ms
> rtt min/avg/max/mdev = 0.225/0.240/0.262/0.015 ms
>
> Then, I check the /tmp/surricata/fast.log, and I get the following results
>
> / # tail /tmp/suricata/fast.log
>
> 01/01/1970-00:09:06.832000 [**] [1:2250010:1] ICMP packet detected [**]
> [Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
> 01/01/1970-00:09:11.619000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type
> [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00
> 01/01/1970-00:09:11.619000 [**] [1:2200094:1] SURICATA zero length padN
> option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000
> 01/01/1970-00:09:11.619000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type
> [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00
> 01/01/1970-00:09:11.619000 [**] [1:2200094:1] SURICATA zero length padN
> option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000
> 01/01/1970-00:09:11.620000 [**] [1:2200029:1] SURICATA ICMPv6 unknown type
> [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:0000:00
> 01/01/1970-00:09:11.620000 [**] [1:2200094:1] SURICATA zero length padN
> option [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> fe80:0000:0000:0000:d9c3:b207:4db1:2b2b:143 -> ff02:0000:0000:0000:000
> 01/01/1970-00:10:39.811000 [**] [1:2250010:1] ICMP packet detected [**]
> [Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
> 01/01/1970-00:10:40.811000 [**] [1:2250010:1] ICMP packet detected [**]
> [Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
> 01/01/1970-00:10:41.811000 [**] [1:2250010:1] ICMP packet detected [**]
> [Classification: (null)] [Priority: 3] {ICMP} 10.8.33.17:8 -> 10.8.33.200:0
>
> As we can see, there is a three packet detected by Surricata.
>
> Then, after looking at the stats, I get these results:
>
> / # tail /tmp/suricata/stats.log
>
> / # tail -n 50 /tmp/suricata/stats.log
> decoder.icmpv4 | Total | 27
> decoder.icmpv6 | Total | 440
> decoder.ppp | Total | 0
> decoder.pppoe | Total | 0
> decoder.gre | Total | 0
> decoder.vlan | Total | 0
> decoder.vlan_qinq | Total | 0
> decoder.teredo | Total | 0
> decoder.ipv4_in_ipv6 | Total | 0
> decoder.ipv6_in_ipv6 | Total | 0
> decoder.mpls | Total | 0
> decoder.avg_pkt_size | Total | 142
> decoder.max_pkt_size | Total | 1506
> decoder.erspan | Total | 0
> flow.memcap | Total | 0
> defrag.ipv4.fragments | Total | 0
> defrag.ipv4.reassembled | Total | 0
> defrag.ipv4.timeouts | Total | 0
> defrag.ipv6.fragments | Total | 0
> defrag.ipv6.reassembled | Total | 0
> defrag.ipv6.timeouts | Total | 0
> defrag.max_frag_hits | Total | 0
> tcp.sessions | Total | 0
> tcp.ssn_memcap_drop | Total | 0
> tcp.pseudo | Total | 0
> tcp.pseudo_failed | Total | 0
> tcp.invalid_checksum | Total | 0
> tcp.no_flow | Total | 0
> tcp.syn | Total | 0
> tcp.synack | Total | 0
> tcp.rst | Total | 1
> tcp.segment_memcap_drop | Total | 0
> tcp.stream_depth_reached | Total | 0
> tcp.reassembly_gap | Total | 0
> detect.alert | Total | 109
> flow_mgr.closed_pruned | Total | 0
> flow_mgr.new_pruned | Total | 2682
> flow_mgr.est_pruned | Total | 0
> flow.spare | Total | 10000
> flow.emerg_mode_entered | Total | 0
> flow.emerg_mode_over | Total | 0
> flow.tcp_reuse | Total | 0
> tcp.memuse | Total | 286720
> tcp.reassembly_memuse | Total | 12244864
> dns.memuse | Total | 0
> dns.memcap_state | Total | 0
> dns.memcap_global | Total | 0
> http.memuse | Total | 0
> http.memcap | Total | 0
> flow.memuse | Total | 6416964
>
>
> Could you please tell me if everything is correct in my test case.
It looks that you have the functionality.
>
> Thank you very much for your in advance.
>
> Best regards,
> Mahdi
>
>
> On Tue, Nov 17, 2015 at 11:35 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Tue, Nov 10, 2015 at 2:34 PM, Mahdi Aichouch <foxmehdi at gmail.com>
>> wrote:
>> > Hello,
>> >
>> > First of all, thank you very much for all your answers!
>> >
>> > It is difficult in my case to compile Suricata directly on the board,
>> > because I don't have a full fledged Linux distribution such as Debian or
>> > Ubuntu... installed on my board.
>> > Instead, I am running a para-virtualized L4Linux kernel with a minimal
>> > root
>> > file system (RAMdisk) built using Buildroot.
>> >
>> > So, I don't have access to a package manager to download and install all
>> > libraries that Suricata depends on.
>> > When I cross-compiled, I manually downloaded and compiled all the
>> > binaries
>> > of the required libraries before building Suricata.
>> >
>> > After activating the verbose option I was able to see that there was a
>> > missing file.
>> > Such as the /usr/share/file/magic.mgc, needed by functions in
>> > utile-magic.c.
>> >
>> > Then, after adding all missing configuration files, I was able to
>> > successfully run Surricata on an ARMv7 board.
>> >
>> > $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
>> > -s
>> > signatures -v &
>> >
>> > / # [44] 1/1/1970 -- 00:02:32 - (suricata.c:1073) <Notice>
>> > (SCPrintVersion)
>> > -- This is Suricata version 2.1dev (rev 86711a1)
>> > [44] 1/1/1970 -- 00:02:32 - (util-cpu.c:170) <Info>
>> > (UtilCpuPrintSummary) --
>> > CPUs/cores online: 1
>> > [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2255) <Info>
>> > (HTPConfigSetDefaultsPhase2) -- 'default' server has
>> > 'request-body-minimal-inspect-size' set to 33882 and
>> > 'request-body-inspect-window' set to 4053.
>> > [44] 1/1/1970 -- 00:02:32 - (app-layer-htp.c:2270) <Info>
>> > (HTPConfigSetDefaultsPhase2) -- 'default' server has
>> > 'response-body-minimal-inspect-size' set to 33695 and
>> > 'response-body-inspect-window' set to 42.
>> > [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:337) <Info>
>> > (DNSUDPConfigure) -- DNS request flood protection level: 500
>> > [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:349) <Info>
>> > (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
>> > [44] 1/1/1970 -- 00:02:32 - (app-layer-dns-udp.c:361) <Info>
>> > (DNSUDPConfigure) -- DNS global memcap: 16777216
>> > [44] 1/1/1970 -- 00:02:32 - (app-layer-modbus.c:1457) <Info>
>> > (RegisterModbusParsers) -- Modbus request flood protection level: 500
>> > [44] 1/1/1970 -- 00:02:32 - (util-ioctl.c:100) <Info> (GetIfaceMTU) --
>> > Found
>> > an MTU of 1500 for 'eth0'
>> > [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:209) <Info>
>> > (DefragInitConfig) --
>> > allocated 2097152 bytes of memory for the defrag hash... 65536 buckets
>> > of
>> > size 32
>> > [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:234) <Info>
>> > (DefragInitConfig) --
>> > preallocated 65535 defrag trackers of size 120
>> > [44] 1/1/1970 -- 00:02:32 - (defrag-hash.c:241) <Info>
>> > (DefragInitConfig) --
>> > defrag memory usage: 9961352 bytes, maximum: 33554432
>> > [44] 1/1/1970 -- 00:02:32 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister)
>> > --
>> > AutoFP mode using default "Active Packets" flow load balancer
>> > [44] 1/1/1970 -- 00:02:32 - (host.c:215) <Info> (HostInitConfig) --
>> > allocated 262144 bytes of memory for the host hash... 4096 buckets of
>> > size
>> > 64
>> > [44] 1/1/1970 -- 00:02:32 - (host.c:238) <Info> (HostInitConfig) --
>> > preallocated 1000 hosts of size 88
>> > [44] 1/1/1970 -- 00:02:32 - (host.c:240) <Info> (HostInitConfig) -- host
>> > memory usage: 350144 bytes, maximum: 16777216
>> > [44] 1/1/1970 -- 00:02:32 - (flow.c:441) <Info> (FlowInitConfig) --
>> > allocated 4194304 bytes of memory for the flow hash... 65536 buckets of
>> > size
>> > 64
>> > [44] 1/1/1970 -- 00:02:32 - (flow.c:465) <Info> (FlowInitConfig) --
>> > preallocated 10000 flows of size 220
>> > [44] 1/1/1970 -- 00:02:32 - (flow.c:467) <Info> (FlowInitConfig) -- flow
>> > memory usage: 6394304 bytes, maximum: 67108864
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:377) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream "prealloc-sessions": 2048 (per thread)
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:393) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream "memcap": 33554432
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:399) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream "midstream" session pickups: disabled
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:405) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream "async-oneside": disabled
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:422) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream "checksum-validation": enabled
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:444) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream."inline": disabled
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:457) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream "max-synack-queued": 5
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:475) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream.reassembly "memcap": 134217728
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:493) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream.reassembly "depth": 1048576
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:576) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream.reassembly "toserver-chunk-size": 2549
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:578) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream.reassembly "toclient-chunk-size": 2501
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp.c:591) <Info>
>> > (StreamTcpInitConfig)
>> > -- stream.reassembly.raw: enabled
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 4, prealloc 256
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 16, prealloc 512
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 112, prealloc 512
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 248, prealloc 512
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 512, prealloc 512
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 768, prealloc 1024
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 1448, prealloc 1024
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:451) <Info>
>> > (StreamTcpReassemblyConfig) -- segment pool: pktsize 65535, prealloc 128
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:487) <Info>
>> > (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
>> > [44] 1/1/1970 -- 00:02:32 - (stream-tcp-reassemble.c:500) <Info>
>> > (StreamTcpReassemblyConfig) -- stream.reassembly "zero-copy-size": 128
>> > [44] 1/1/1970 -- 00:02:32 - (ippair.c:211) <Info> (IPPairInitConfig) --
>> > allocated 262144 bytes of memory for the ippair hash... 4096 buckets of
>> > size
>> > 64
>> > [44] 1/1/1970 -- 00:02:32 - (ippair.c:234) <Info> (IPPairInitConfig) --
>> > preallocated 1000 ippairs of size 96
>> > [44] 1/1/1970 -- 00:02:32 - (ippair.c:236) <Info> (IPPairInitConfig) --
>> > ippair memory usage: 358144 bytes, maximum: 16777216
>> > [44] 1/1/1970 -- 00:02:32 - (util-magic.c:62) <Info> (MagicInit) --
>> > using
>> > magic-file /usr/share/file/magic
>> > [44] 1/1/1970 -- 00:02:32 - (suricata.c:1942) <Info>
>> > (SetupDelayedDetect) --
>> > Delayed detect disabled
>> > [44] 1/1/1970 -- 00:02:32 - (reputation.c:620) <Info> (SRepInit) -- IP
>> > reputation disabled
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/botcc.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/ciarmy.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/compromised.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/drop.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/dshield.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-activex.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-attack_response.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-chat.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-current_events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-dns.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-dos.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-exploit.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-ftp.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-games.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-icmp_info.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-imap.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-inappropriate.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-malware.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-misc.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-mobile_malware.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-netbios.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-p2p.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-policy.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-pop3.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-rpc.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-scada.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-scan.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-shellcode.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-smtp.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-snmp.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-sql.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-telnet.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-tftp.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-trojan.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-user_agents.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-voip.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-web_client.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-web_server.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-web_specific_apps.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/emerging-worm.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > /etc/suricata/rules/tor.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/decoder-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/stream-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/http-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/smtp-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/dns-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/tls-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/modbus-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:414) <Info> (ProcessSigFiles) --
>> > Loading rule file: /etc/suricata/rules/app-layer-events.rules
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:402) <Warning> (ProcessSigFiles)
>> > --
>> > [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
>> > signatures
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:523) <Info> (SigLoadSignatures) --
>> > 50
>> > rule files processed. 236 rules successfully loaded, 0 rules failed
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:2987) <Info>
>> > (SigAddressPrepareStage1)
>> > -- 236 signatures processed. 0 are IP-only rules, 0 are inspecting
>> > packet
>> > payload, 74 inspect application layer, 99 are decoder y
>> > [44] 1/1/1970 -- 00:02:32 - (detect.c:2990) <Info>
>> > (SigAddressPrepareStage1)
>> > -- building signature grouping structure, stage 1: preprocessing
>> > rules...
>> > complete
>> > [44] 1/1/1970 -- 00:02:33 - (detect.c:3623) <Info>
>> > (SigAddressPrepareStage2)
>> > -- building signature grouping structure, stage 2: building source
>> > address
>> > list... complete
>> > [44] 1/1/1970 -- 00:02:33 - (detect.c:4148) <Info>
>> > (SigAddressPrepareStage3)
>> > -- building signature grouping structure, stage 3: building destination
>> > address lists... complete
>> > [44] 1/1/1970 -- 00:02:33 - (util-threshold-config.c:1188) <Info>
>> > (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
>> > [44] 1/1/1970 -- 00:02:33 - (util-coredump-config.c:122) <Info>
>> > (CoredumpLoadConfig) -- Core dump size set to unlimited.
>> > [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
>> > (SCConfLogOpenGeneric) -- fast output device (regular) initialized:
>> > fast.log
>> > [44] 1/1/1970 -- 00:02:33 - (runmodes.c:739) <Warning>
>> > (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] -
>> > Eve-log
>> > support not compiled in. Reconfigure/recompile with libjansson and its
>> > de.
>> > [44] 1/1/1970 -- 00:02:33 - (alert-unified2-alert.c:1353) <Info>
>> > (Unified2AlertInitCtx) -- Unified2-alert initialized: filename
>> > unified2.alert, limit 32 MB
>> > [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
>> > (SCConfLogOpenGeneric) -- http-log output device (regular) initialized:
>> > http.log
>> > [44] 1/1/1970 -- 00:02:33 - (util-logopenfile.c:298) <Info>
>> > (SCConfLogOpenGeneric) -- stats output device (regular) initialized:
>> > stats.log
>> > [44] 1/1/1970 -- 00:02:33 - (util-runmodes.c:189) <Info>
>> > (RunModeSetLiveCaptureAutoFp) -- Using 1 live device(s).
>> > [45] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info>
>> > (PacketPoolInit)
>> > -- preallocated 1024 packets. Total memory 2887680
>> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:393) <Info>
>> > (ReceivePcapThreadInit) -- using interface eth0
>> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:398) <Info>
>> > (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of
>> > interface state will require 1000 packets.
>> > [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:100) <Info> (GetIfaceMTU) --
>> > Found
>> > an MTU of 1500 for 'eth0'
>> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:433) <Info>
>> > (ReceivePcapThreadInit) -- Set snaplen to 1516 for 'eth0'
>> > device eth0 entered promiscuous mode
>> > [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:178) <Info>
>> > (GetIfaceOffloading)
>> > -- Generic Receive Offload is set on eth0
>> > [45] 1/1/1970 -- 00:02:33 - (util-ioctl.c:200) <Info>
>> > (GetIfaceOffloading)
>> > -- Large Receive Offload is unset on eth0
>> > [45] 1/1/1970 -- 00:02:33 - (source-pcap.c:516) <Warning>
>> > (ReceivePcapThreadInit) -- [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using
>> > Pcap
>> > capture with GRO or LRO activated can lead to capture problems.
>> > [44] 1/1/1970 -- 00:02:33 - (runmode-pcap.c:293) <Info>
>> > (RunModeIdsPcapAutoFp) -- RunModeIdsPcapAutoFp initialised
>> > [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:721) <Info>
>> > (FlowManagerThreadSpawn) -- using 1 flow manager threads
>> > [47] 1/1/1970 -- 00:02:33 - (tmqh-packetpool.c:394) <Info>
>> > (PacketPoolInit)
>> > -- preallocated 1024 packets. Total memory 2887680
>> > [44] 1/1/1970 -- 00:02:33 - (flow-manager.c:881) <Info>
>> > (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
>> > [44] 1/1/1970 -- 00:02:33 - (tm-threads.c:2001) <Notice>
>> > (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4
>> > management
>> > threads initialized, engine started.
>> >
>> > As we can see from the debug messages, there is still one Warning
>> > message.
>> >
>> > Running this command: "/ # tail /var/log/suricata/http.log" gives
>> > nothing!
>> >
>> > Running this command: "/ # tail -n 50 /var/log/suricata/stats.log" gives
>> > the
>> > following logs:
>> >
>> > defrag.ipv6.fragments | Total | 0
>> > defrag.ipv6.reassembled | Total | 0
>> > defrag.ipv6.timeouts | Total | 0
>> > defrag.max_frag_hits | Total | 0
>> > tcp.sessions | Total | 0
>> > tcp.ssn_memcap_drop | Total | 0
>> > tcp.pseudo | Total | 0
>> > tcp.pseudo_failed | Total | 0
>> > tcp.invalid_checksum | Total | 0
>> > tcp.no_flow | Total | 0
>> > tcp.syn | Total | 0
>> > tcp.synack | Total | 0
>> > tcp.rst | Total | 0
>> > tcp.segment_memcap_drop | Total | 0
>> > tcp.stream_depth_reached | Total | 0
>> > tcp.reassembly_gap | Total | 0
>> > detect.alert | Total | 0
>> > flow_mgr.closed_pruned | Total | 0
>> > flow_mgr.new_pruned | Total | 0
>> > flow_mgr.est_pruned | Total | 0
>> > flow.spare | Total | 10000
>> > flow.emerg_mode_entered | Total | 0
>> > flow.emerg_mode_over | Total | 0
>> > flow.tcp_reuse | Total | 0
>> > tcp.memuse | Total | 286720
>> > tcp.reassembly_memuse | Total | 12244864
>> > dns.memuse | Total | 0
>> > dns.memcap_state | Total | 0
>> > dns.memcap_global | Total | 0
>> > http.memuse | Total | 0
>> > http.memcap | Total | 0
>> > flow.memuse | Total | 6394304
>> > -------------------------------------------------------------------
>> > Date: 11/10/2015 -- 11:35:42 (uptime: 0d, 00h 19m 28s)
>> > -------------------------------------------------------------------
>> > Counter | TM Name | Value
>> > -------------------------------------------------------------------
>> > capture.kernel_packets | Total | 0
>> > capture.kernel_drops | Total | 0
>>
>> judging by the output above - for 19 min you have seen 0 packets on
>> that sniffing interface - is that really the case?
>>
>> > capture.kernel_ifdrops | Total | 0
>> > decoder.pkts | Total | 0
>> > decoder.bytes | Total | 0
>> > decoder.invalid | Total | 0
>> > decoder.ipv4 | Total | 0
>> > decoder.ipv6 | Total | 0
>> > decoder.ethernet | Total | 0
>> > decoder.raw | Total | 0
>> > decoder.null | Total | 0
>> > decoder.sll | Total | 0
>> >
>> >
>> > Is it possible to tell me if everything is correct?
>> >
>> > Is there any test case that gives more explicit results?
>> >
>> > Thank you very much in advance.
>> >
>> > Best regards,
>> > Mahdi
>> >
>> >
>> > On Tue, Nov 10, 2015 at 8:55 AM, Scott Prader <rigrunn at gmail.com> wrote:
>> >>
>> >> I have compiled suricata on an armv6h, but did not cross-compile it. I
>> >> compiled it natively and it worked fine. It took some time, so I found
>> >> something else to do while it compiled.
>> >>
>> >> On Nov 10, 2015 1:47 AM, "Victor Julien" <lists at inliniac.net> wrote:
>> >>>
>> >>> On 10-11-15 08:46, Anoop Saldanha wrote:
>> >>>>
>> >>>> On Tue, Nov 10, 2015 at 12:59 PM, Anoop Saldanha
>> >>>> <anoopsaldanha at gmail.com> wrote:
>> >>>>>
>> >>>>> On Mon, Nov 9, 2015 at 11:06 PM, Peter Manev <petermanev at gmail.com>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> On Mon, Nov 9, 2015 at 3:00 PM, Mahdi Aichouch <foxmehdi at gmail.com>
>> >>>>>> wrote:
>> >>>>>>>
>> >>>>>>> Hello,
>> >>>>>>>
>> >>>>>>> I am trying to run Suricata on an ARMv7 architecture based board.
>> >>>>>>>
>> >>>>>>> After, I had successfully cross-compiled Suricata for my target,
>> >>>>>>> I
>> >>>>>>> tried to
>> >>>>>>> run Suricata on the board but I got an Aborted fault.
>> >>>>>>>
>> >>>>>>> Below is the command that I used in my test:
>> >>>>>>>
>> >>>>>>> $> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i
>> >>>>>>> eth0
>> >>>>>>> --init-errors-fatal
>> >>>>>>
>> >>>>>>
>> >>>>>> Can you try adding the "-v" switch for more verbose output -
>> >>>>>> ./home/suricata/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
>> >>>>>> --init-errors-fatal -v
>> >>>>>>
>> >>>>>>>
>> >>>>>>> [35] 1/1/1970 -- 00:02:03 - (suricata.c:1073) <Notice>
>> >>>>>>> (SCPrintVersion) --
>> >>>>>>> This is Suricata version 2.1dev (rev 86711a1)
>> >>>>>>> Aborted.
>> >>>>>>>
>> >>>>>>> No further message are printed on the terminal.
>> >>>>>>>
>> >>>>>>> Could someone help me in figuring out what causes this issue.
>> >>>>>
>> >>>>>
>> >>>>> Trouble with some instructions generated for your architecture most
>> >>>>> likely. I would first try and make sure that I have cross compiled
>> >>>>> directly, and then zero in on the instructions generated by the
>> >>>>> compiler and make sure it is present ARMv7's ISA.
>> >>>>>
>> >>>>
>> >>>> My previous reply - s/cross compiled directly/cross compiled
>> >>>> correctly/g
>> >>>>
>> >>>> As a later step on figuring out the instructions, you can look at the
>> >>>> kernel/system logs to figure out the instructions that caused the
>> >>>> error.
>> >>>>
>> >>>
>> >>> Don't forget passing --disable-gccmarch-native to configure before
>> >>> compiling.
>> >>>
>> >>> --
>> >>> ---------------------------------------------
>> >>> Victor Julien
>> >>> http://www.inliniac.net/
>> >>> PGP: http://www.inliniac.net/victorjulien.asc
>> >>> ---------------------------------------------
>> >>>
>> >>> _______________________________________________
>> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >>> Site: http://suricata-ids.org | Support:
>> >>> http://suricata-ids.org/support/
>> >>> List:
>> >>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>> Suricata User Conference November 4 & 5 in Barcelona:
>> >>> http://oisfevents.net
>> >>
>> >>
>> >> _______________________________________________
>> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >> Site: http://suricata-ids.org | Support:
>> >> http://suricata-ids.org/support/
>> >> List:
>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> Suricata User Conference November 4 & 5 in Barcelona:
>> >> http://oisfevents.net
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 4 & 5 in Barcelona:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list