[Oisf-users] Trouble with suricata
Victor Julien
lists at inliniac.net
Thu Jun 2 08:22:36 UTC 2016
On 02-06-16 08:26, Sergey Malinkin wrote:
> Hello, i have a trouble.
> We clone VM with suricata 3. But suricata did not catch anything. Empty
> fast.log, ssh.json In original place (where does a copy of VM suricata
> work fine)
> If i run tcpdump i can see the mirroring traffic, for example i test on
> next rule:
>
> alert tcp $HOME_NET any -> $HOME_NET any (msg:"SSH in internal net";
> flow:established, to_server; content: "SSH-"; sid:100999; rev:1;)
>
> I connect to the VM, another unix pc and nothing in fast.log or ssh.json
>
> From suricata.yaml:
>
> - fast:
> enabled: yes
> filename: fast.log
> append: yes
> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
>
> - eve-log:
> enabled: yes
> type: file
> filename: ssh.json
> types:
> - ssh
>
> May be you know what to do?
>
We solved this on IRC. NIC offloading was enabled and vlan tracking had
to be disabled.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list