[Oisf-users] suricata IPS and drop.log

Vieri rentorbuy at yahoo.com
Mon Dec 19 09:55:43 UTC 2016 


----- Original Message -----
> From: Andreas Herz <andi at geekosphere.org>
>
> Can you reproduce with a .pcap and in --simulate-ips mode?


I'm not sure how to do this.
I tried the following:

# /usr/bin/suricata --pidfile /var/run/suricata/suricata.pid -vvv -i enp0s13 --simulate-ips --pcap=enp0s13 -c /etc/suricata/suricata.yaml


19/12/2016 -- 10:36:24 - <Info> - Setting IPS mode
19/12/2016 -- 10:36:24 - <Error> - [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(126)] - more than one run mode has been specified


I can't use -q here, of course.

So there must be something else in the yaml config file...

I also suppose that the yaml config option "runmode" has nothing to do with the error shown above (is left as default autofp, in my case).

I thought that maybe the conflict is with both -i and --pcap. So I ran the same command without -i enp0s13 and the last log lines are shown below:

19/12/2016 -- 10:43:43 - <Info> - fast output device (regular) initialized: fast.log
19/12/2016 -- 10:43:43 - <Info> - eve-log output device (regular) initialized: eve.json
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'alert'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'http'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'dns'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'tls'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'files'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'smtp'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'ssh'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'stats'
19/12/2016 -- 10:43:43 - <Config> - enabling 'eve-log' module 'flow'
19/12/2016 -- 10:43:43 - <Info> - stats output device (regular) initialized: stats.log
19/12/2016 -- 10:43:43 - <Info> - drop output device (regular) initialized: drop.log
19/12/2016 -- 10:43:43 - <Config> - AutoFP mode using "Hash" flow load balancer
19/12/2016 -- 10:43:43 - <Info> - Using 1 live device(s).
19/12/2016 -- 10:43:43 - <Warning> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Name of device should not be null
19/12/2016 -- 10:43:43 - <Info> - using interface enp0s13
19/12/2016 -- 10:43:43 - <Perf> - enp0s13: disabling txcsum offloading
19/12/2016 -- 10:43:43 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for 'enp0s13': Operation not supported (95)
19/12/2016 -- 10:43:43 - <Perf> - enp0s13: disabling gro offloading
19/12/2016 -- 10:43:43 - <Perf> - enp0s13: disabling gso offloading
19/12/2016 -- 10:43:43 - <Perf> - enp0s13: disabling sg offloading
19/12/2016 -- 10:43:43 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for 'enp0s13': Operation not supported (95)
19/12/2016 -- 10:43:43 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
19/12/2016 -- 10:43:43 - <Info> - Found an MTU of 1500 for 'enp0s13'
19/12/2016 -- 10:43:43 - <Info> - Set snaplen to 1524 for 'enp0s13'
19/12/2016 -- 10:43:43 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on enp0s13: RX unset TX SET. Run: ethtool -K enp0s13 rx off tx off
19/12/2016 -- 10:43:43 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on enp0s13: SG: SET,  GRO: unset, LRO: unset, TSO: unset, GSO: unset. Run: ethtool -K enp0s13 sg off gro off lro off tso off gso off
19/12/2016 -- 10:43:43 - <Info> - RunModeIdsPcapAutoFp initialised
19/12/2016 -- 10:43:43 - <Info> - Running in live mode, activating unix socket
19/12/2016 -- 10:43:43 - <Config> - using 1 flow manager threads
19/12/2016 -- 10:43:43 - <Config> - using 1 flow recycler threads
19/12/2016 -- 10:43:43 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
19/12/2016 -- 10:43:44 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used


(note the errors above)

Anyway, I then checked the drop.log and fast.log files.

I got this line in fast.log:

12/19/2016-10:52:28.142597  [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.48:26173 -> 192.168.101.2:22


However, drop.log is completely empty.
I enabled drop.log in the yaml file, of course, as you can see in the log messages above.

Anything else I can try?

Vieri

More information about the Oisf-users mailing list