[Oisf-users] filestore version 2
Carl Rotenan
carlrotenan at gmail.com
Thu Aug 16 17:10:50 UTC 2018
It appears that if the HTTP info (URI, HOST, REFERER, USER AGENT) aren't
known the file gets stored.
The info below comes from the file meta data files that are created for
each capture.
foo.cap
magic: HTML document, UTF-8 Unicode text, with very long lines,
with CRLF, LF line terminators
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: PDF document, version 1.4
app proto: http
http uri: /files/documents/2018/03/12/dor-2017-inc-sch-hc.pdf
http host: www.mass.gov
http referer:
https://www.mass.gov/lists/2017-massachusetts-personal-income-tax-forms-and-instructions
http user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like
Gecko
magic: HTML document, ASCII text, with very long lines, with
CRLF, LF line terminators
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: JPEG image data, JFIF standard 1.01
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: PDF document, version 1.6
app proto: http
http uri: /files/documents/2018/02/07/dor-2017-inc-sch-xy.pdf
http host: www.mass.gov
http referer:
https://www.mass.gov/lists/2017-massachusetts-personal-income-tax-forms-and-instructions
http user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like
Gecko
magic: HTML document, ASCII text, with very long lines, with
CRLF, LF line terminators
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: JPEG image data, JFIF standard 1.01
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: HTML document, ASCII text, with very long lines
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: HTML document, ASCII text, with very long lines
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: UTF-8 Unicode text, with very long lines
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
boo.cap
magic: PNG image data, 3996 x 80, 8-bit colormap, non-interlaced
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: PNG image data, 492 x 400, 8-bit/color RGB, non-interlaced
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: HTML document, UTF-8 Unicode text, with very long lines,
with no line terminators
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: data
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: PNG image data, 310 x 440, 8-bit colormap, non-interlaced
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: ASCII text, with very long lines
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: ASCII text, with very long lines
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: PNG image data, 320 x 198, 8-bit colormap, non-interlaced
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: PDF document, version 1.4
app proto: http
http uri:
/archive3/GflUt00Q30KF03YzCLl43rm2po76/D3400UM_SG(En)02.pdf
http host: download.nikonimglib.com
http referer:
http://downloadcenter.nikonimglib.com/en/products/330/D3400.html
http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/66.0.3359.181 Safari/537.36
magic: PDF document, version 1.3
app proto: http
http uri: /biassets/bi/4128311.pdf
http host: www.lego.com
http referer: <unknown>
http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/66.0.3359.181 Safari/537.36
magic: PDF document, version 1.3
app proto: http
http uri: /biassets/bi/4128312.pdf
http host: www.lego.com
http referer: <unknown>
http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/66.0.3359.181 Safari/537.36
magic: JPEG image data, EXIF standard
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
magic: PDF document, version 1.3
app proto: http
http uri: /biassets/bi/4132659.pdf
http host: www.lego.com
http referer: <unknown>
http user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/66.0.3359.181 Safari/537.36
magic: UTF-8 Unicode text, with very long lines, with no line
terminators
app proto: http
http uri: <unknown>
http host: <unknown>
http referer: <unknown>
http user agent: <unknown>
On Thu, Aug 16, 2018 at 8:26 AM, Carl Rotenan <carlrotenan at gmail.com> wrote:
> Yes, the same issue with just filestore.
>
> I'm also getting the same behavior with 4.0.5.
>
> I'm looking to just extract files (PDF, archives, docs, etc) from HTTP and
> SMTP and have them shipped off for further processing.
>
> The capture file can be found here:
>
> https://www.dropbox.com/s/kq8jl67km90qnef/foo.cap?dl=0
>
>
>
> On Thu, Aug 16, 2018 at 8:21 AM, Peter Manev <petermanev at gmail.com> wrote:
>
>>
>>
>> On 15 Aug 2018, at 18:16, Carl Rotenan <carlrotenan at gmail.com> wrote:
>>
>> I'm having trouble with file store version 2 on 4.1.0-rc1.
>>
>> I have one rule that specifies to store PDF file based on a filemagic
>> match of "PDF", see below.
>>
>> [root at localhost filestore]# cat /etc/suricata/rules/carl.rules
>> alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF";
>> filestore:both,file; sid:1; rev:1;)
>>
>>
>> If you just try “filestore” would you have the same issue?
>>
>>
>> The problem is that 10 files are being stored, 2 PDF files and 8 HTML
>> files.
>>
>> [root at localhost filestore]# ls -laR | grep "\-rw\-r\-\-r\-\-"
>> -rw-r--r--. 1 root root 104914 Aug 15 19:58
>> 0a976d52cc0246accef29bd1dd55ef1fc752fca2e0bae248ab8e1edff34332ac
>> -rw-r--r--. 1 root root 5452 Aug 15 19:58 318a0285c3cfa27290787f568ae155
>> a87d203dbfcacfac2b617a0f3f4cb0de46
>> -rw-r--r--. 1 root root 106496 Aug 15 19:58
>> 3abe6a42b9f6ab1db57dc4bbc0a7aa145a13ca1f8832c4e85b50ecab1ef719b2
>> -rw-r--r--. 1 root root 66177 Aug 15 19:58
>> 7db3196532bfcac614288aedd903ba900734ddd05b27e1b9d15a06ded88b5b18
>> -rw-r--r--. 1 root root 50884 Aug 15 19:58
>> 8929bc1979b7379062a105a54e53767c94901d7ae8846e84b0558efdd4a4fe22
>> -rw-r--r--. 1 root root 106496 Aug 15 19:58
>> 8994585a6830a2ba2b151c69f064433cfd6a34f3a771e759d42506375cff2d4d
>> -rw-r--r--. 1 root root 34570 Aug 15 19:58
>> 949e5724ca9cd642fb48e915148d9277f0974b0f85668ca2262d070e3ed93757
>> -rw-r--r--. 1 root root 96014 Aug 15 19:58
>> c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa
>> -rw-r--r--. 1 root root 77393 Aug 15 19:58
>> d83b46b8d0c391019f8857d0b7c73f65c7a4cd534bdb60c4026048c645f8482c
>> -rw-r--r--. 1 root root 85157 Aug 15 19:58
>> f120af96856274bc67184f5d88d93a8c593fa841a858fc36bb9ed1e13774e43f
>> [root at localhost filestore]# ls -laR | grep "\-rw\-r\-\-r\-\-" | wc -l
>> 10
>> [root at localhost filestore]#
>>
>> Any thoughts?
>>
>> Thanks in advance.
>>
>>
>> Debug info:
>>
>> [root at localhost filestore]# suricata -V
>> This is Suricata version 4.1.0-rc1 RELEASE
>>
>> [root at localhost filestore]# suricata -r /root/foo.cap
>> -vvvvvvvvvvvvvvvvvv -c /etc/suricata/suricata.yaml --dump-config
>> pcap-file = (null)
>> pcap-file.file = /root/foo.cap
>> pcap-file.checksum-checks = auto
>> vars = (null)
>> vars.address-groups = (null)
>> vars.address-groups.HOME_NET = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
>> vars.address-groups.EXTERNAL_NET = !$HOME_NET
>> vars.address-groups.HTTP_SERVERS = $HOME_NET
>> vars.address-groups.SMTP_SERVERS = $HOME_NET
>> vars.address-groups.SQL_SERVERS = $HOME_NET
>> vars.address-groups.DNS_SERVERS = $HOME_NET
>> vars.address-groups.TELNET_SERVERS = $HOME_NET
>> vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
>> vars.address-groups.DNP3_SERVER = $HOME_NET
>> vars.address-groups.DNP3_CLIENT = $HOME_NET
>> vars.address-groups.MODBUS_CLIENT = $HOME_NET
>> vars.address-groups.MODBUS_SERVER = $HOME_NET
>> vars.address-groups.ENIP_CLIENT = $HOME_NET
>> vars.address-groups.ENIP_SERVER = $HOME_NET
>> vars.port-groups = (null)
>> vars.port-groups.HTTP_PORTS = 80
>> vars.port-groups.SHELLCODE_PORTS = !80
>> vars.port-groups.ORACLE_PORTS = 1521
>> vars.port-groups.SSH_PORTS = 22
>> vars.port-groups.DNP3_PORTS = 20000
>> vars.port-groups.MODBUS_PORTS = 502
>> vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]
>> vars.port-groups.FTP_PORTS = 21
>> default-log-dir = /var/log/suricata/
>> stats = (null)
>> stats.enabled = yes
>> stats.interval = 8
>> outputs = (null)
>> outputs.0 = fast
>> outputs.0.fast = (null)
>> outputs.0.fast.enabled = yes
>> outputs.0.fast.filename = fast.log
>> outputs.0.fast.append = yes
>> outputs.1 = eve-log
>> outputs.1.eve-log = (null)
>> outputs.1.eve-log.enabled = yes
>> outputs.1.eve-log.filetype = regular
>> outputs.1.eve-log.filename = eve.json
>> outputs.1.eve-log.pcap-file = false
>> outputs.1.eve-log.xff = (null)
>> outputs.1.eve-log.xff.enabled = no
>> outputs.1.eve-log.xff.mode = extra-data
>> outputs.1.eve-log.xff.deployment = reverse
>> outputs.1.eve-log.xff.header = X-Forwarded-For
>> outputs.1.eve-log.types = (null)
>> outputs.1.eve-log.types.0 = alert
>> outputs.1.eve-log.types.0.alert = (null)
>> outputs.1.eve-log.types.0.alert.tagged-packets = yes
>> outputs.1.eve-log.types.1 = http
>> outputs.1.eve-log.types.1.http = (null)
>> outputs.1.eve-log.types.1.http.extended = yes
>> outputs.1.eve-log.types.2 = dns
>> outputs.1.eve-log.types.2.dns = (null)
>> outputs.1.eve-log.types.2.dns.version = 2
>> outputs.1.eve-log.types.3 = tls
>> outputs.1.eve-log.types.3.tls = (null)
>> outputs.1.eve-log.types.3.tls.extended = yes
>> outputs.1.eve-log.types.4 = smtp
>> outputs.1.eve-log.types.4.smtp =
>> outputs.1.eve-log.types.5 = dhcp
>> outputs.1.eve-log.types.5.dhcp = (null)
>> outputs.1.eve-log.types.5.dhcp.enabled = no
>> outputs.1.eve-log.types.5.dhcp.extended = no
>> outputs.1.eve-log.types.6 = ssh
>> outputs.1.eve-log.types.7 = stats
>> outputs.1.eve-log.types.7.stats = (null)
>> outputs.1.eve-log.types.7.stats.totals = yes
>> outputs.1.eve-log.types.7.stats.threads = no
>> outputs.1.eve-log.types.7.stats.deltas = no
>> outputs.1.eve-log.types.8 = flow
>> outputs.2 = unified2-alert
>> outputs.2.unified2-alert = (null)
>> outputs.2.unified2-alert.enabled = no
>> outputs.2.unified2-alert.filename = unified2.alert
>> outputs.2.unified2-alert.xff = (null)
>> outputs.2.unified2-alert.xff.enabled = no
>> outputs.2.unified2-alert.xff.mode = extra-data
>> outputs.2.unified2-alert.xff.deployment = reverse
>> outputs.2.unified2-alert.xff.header = X-Forwarded-For
>> outputs.3 = http-log
>> outputs.3.http-log = (null)
>> outputs.3.http-log.enabled = no
>> outputs.3.http-log.filename = http.log
>> outputs.3.http-log.append = yes
>> outputs.4 = tls-log
>> outputs.4.tls-log = (null)
>> outputs.4.tls-log.enabled = no
>> outputs.4.tls-log.filename = tls.log
>> outputs.4.tls-log.append = yes
>> outputs.5 = tls-store
>> outputs.5.tls-store = (null)
>> outputs.5.tls-store.enabled = no
>> outputs.6 = dns-log
>> outputs.6.dns-log = (null)
>> outputs.6.dns-log.enabled = no
>> outputs.6.dns-log.filename = dns.log
>> outputs.6.dns-log.append = yes
>> outputs.7 = pcap-log
>> outputs.7.pcap-log = (null)
>> outputs.7.pcap-log.enabled = no
>> outputs.7.pcap-log.filename = log.pcap
>> outputs.7.pcap-log.limit = 1000mb
>> outputs.7.pcap-log.max-files = 2000
>> outputs.7.pcap-log.compression = none
>> outputs.7.pcap-log.mode = normal
>> outputs.7.pcap-log.use-stream-depth = no
>> outputs.7.pcap-log.honor-pass-rules = no
>> outputs.8 = alert-debug
>> outputs.8.alert-debug = (null)
>> outputs.8.alert-debug.enabled = no
>> outputs.8.alert-debug.filename = alert-debug.log
>> outputs.8.alert-debug.append = yes
>> outputs.9 = alert-prelude
>> outputs.9.alert-prelude = (null)
>> outputs.9.alert-prelude.enabled = no
>> outputs.9.alert-prelude.profile = suricata
>> outputs.9.alert-prelude.log-packet-content = no
>> outputs.9.alert-prelude.log-packet-header = yes
>> outputs.10 = stats
>> outputs.10.stats = (null)
>> outputs.10.stats.enabled = yes
>> outputs.10.stats.filename = stats.log
>> outputs.10.stats.append = yes
>> outputs.10.stats.totals = yes
>> outputs.10.stats.threads = no
>> outputs.11 = syslog
>> outputs.11.syslog = (null)
>> outputs.11.syslog.enabled = no
>> outputs.11.syslog.facility = local5
>> outputs.12 = drop
>> outputs.12.drop = (null)
>> outputs.12.drop.enabled = no
>> outputs.12.drop.filename = drop.log
>> outputs.12.drop.append = yes
>> outputs.13 = file-store
>> outputs.13.file-store = (null)
>> outputs.13.file-store.version = 2
>> outputs.13.file-store.enabled = yes
>> outputs.13.file-store.write-fileinfo = no
>> outputs.13.file-store.force-filestore = no
>> outputs.13.file-store.xff = (null)
>> outputs.13.file-store.xff.enabled = no
>> outputs.13.file-store.xff.mode = extra-data
>> outputs.13.file-store.xff.deployment = reverse
>> outputs.13.file-store.xff.header = X-Forwarded-For
>> outputs.14 = file-log
>> outputs.14.file-log = (null)
>> outputs.14.file-log.enabled = yes
>> outputs.14.file-log.filename = files-json.log
>> outputs.14.file-log.append = yes
>> outputs.14.file-log.force-magic = no
>> outputs.15 = tcp-data
>> outputs.15.tcp-data = (null)
>> outputs.15.tcp-data.enabled = no
>> outputs.15.tcp-data.type = file
>> outputs.15.tcp-data.filename = tcp-data.log
>> outputs.16 = http-body-data
>> outputs.16.http-body-data = (null)
>> outputs.16.http-body-data.enabled = no
>> outputs.16.http-body-data.type = file
>> outputs.16.http-body-data.filename = http-data.log
>> outputs.17 = lua
>> outputs.17.lua = (null)
>> outputs.17.lua.enabled = no
>> outputs.17.lua.scripts =
>> logging = (null)
>> logging.default-log-level = notice
>> logging.default-output-filter =
>> logging.outputs = (null)
>> logging.outputs.0 = console
>> logging.outputs.0.console = (null)
>> logging.outputs.0.console.enabled = yes
>> logging.outputs.1 = file
>> logging.outputs.1.file = (null)
>> logging.outputs.1.file.enabled = yes
>> logging.outputs.1.file.level = info
>> logging.outputs.1.file.filename = /var/log/suricata/suricata.log
>> logging.outputs.2 = syslog
>> logging.outputs.2.syslog = (null)
>> logging.outputs.2.syslog.enabled = no
>> logging.outputs.2.syslog.facility = local5
>> logging.outputs.2.syslog.format = [%i] <%d> --
>> af-packet = (null)
>> af-packet.0 = interface
>> af-packet.0.interface = eth0
>> af-packet.0.cluster-id = 99
>> af-packet.0.cluster-type = cluster_flow
>> af-packet.0.defrag = yes
>> af-packet.1 = interface
>> af-packet.1.interface = default
>> pcap = (null)
>> pcap.0 = interface
>> pcap.0.interface = eth0
>> pcap.1 = interface
>> pcap.1.interface = default
>> app-layer = (null)
>> app-layer.protocols = (null)
>> app-layer.protocols.krb5 = (null)
>> app-layer.protocols.krb5.enabled = no
>> app-layer.protocols.ikev2 = (null)
>> app-layer.protocols.ikev2.enabled = yes
>> app-layer.protocols.tls = (null)
>> app-layer.protocols.tls.enabled = yes
>> app-layer.protocols.tls.detection-ports = (null)
>> app-layer.protocols.tls.detection-ports.dp = 443
>> app-layer.protocols.tls.ja3-fingerprints = no
>> app-layer.protocols.dcerpc = (null)
>> app-layer.protocols.dcerpc.enabled = yes
>> app-layer.protocols.ftp = (null)
>> app-layer.protocols.ftp.enabled = yes
>> app-layer.protocols.ssh = (null)
>> app-layer.protocols.ssh.enabled = yes
>> app-layer.protocols.smtp = (null)
>> app-layer.protocols.smtp.enabled = yes
>> app-layer.protocols.smtp.mime = (null)
>> app-layer.protocols.smtp.mime.decode-mime = yes
>> app-layer.protocols.smtp.mime.decode-base64 = yes
>> app-layer.protocols.smtp.mime.decode-quoted-printable = yes
>> app-layer.protocols.smtp.mime.header-value-depth = 2000
>> app-layer.protocols.smtp.mime.extract-urls = yes
>> app-layer.protocols.smtp.mime.body-md5 = no
>> app-layer.protocols.smtp.inspected-tracker = (null)
>> app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
>> app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size =
>> 32768
>> app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
>> app-layer.protocols.imap = (null)
>> app-layer.protocols.imap.enabled = detection-only
>> app-layer.protocols.msn = (null)
>> app-layer.protocols.msn.enabled = detection-only
>> app-layer.protocols.smb = (null)
>> app-layer.protocols.smb.enabled = yes
>> app-layer.protocols.smb.detection-ports = (null)
>> app-layer.protocols.smb.detection-ports.dp = 139, 445
>> app-layer.protocols.nfs = (null)
>> app-layer.protocols.nfs.enabled = no
>> app-layer.protocols.tftp = (null)
>> app-layer.protocols.tftp.enabled = no
>> app-layer.protocols.dns = (null)
>> app-layer.protocols.dns.tcp = (null)
>> app-layer.protocols.dns.tcp.enabled = yes
>> app-layer.protocols.dns.tcp.detection-ports = (null)
>> app-layer.protocols.dns.tcp.detection-ports.dp = 53
>> app-layer.protocols.dns.udp = (null)
>> app-layer.protocols.dns.udp.enabled = yes
>> app-layer.protocols.dns.udp.detection-ports = (null)
>> app-layer.protocols.dns.udp.detection-ports.dp = 53
>> app-layer.protocols.http = (null)
>> app-layer.protocols.http.enabled = yes
>> app-layer.protocols.http.libhtp = (null)
>> app-layer.protocols.http.libhtp.default-config = (null)
>> app-layer.protocols.http.libhtp.default-config.personality = IDS
>> app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb
>> app-layer.protocols.http.libhtp.default-config.response-body-limit =
>> 100kb
>> app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size
>> = 32kb
>> app-layer.protocols.http.libhtp.default-config.request-body-inspect-window
>> = 4kb
>> app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size
>> = 40kb
>> app-layer.protocols.http.libhtp.default-config.response-body-inspect-window
>> = 16kb
>> app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit
>> = 2
>> app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
>> app-layer.protocols.http.libhtp.default-config.swf-decompression = (null)
>> app-layer.protocols.http.libhtp.default-config.swf-decompression.enabled
>> = yes
>> app-layer.protocols.http.libhtp.default-config.swf-decompression.type =
>> both
>> app-layer.protocols.http.libhtp.default-config.swf-decompression.compress-depth
>> = 0
>> app-layer.protocols.http.libhtp.default-config.swf-decompression.decompress-depth
>> = 0
>> app-layer.protocols.http.libhtp.default-config.double-decode-path = no
>> app-layer.protocols.http.libhtp.default-config.double-decode-query = no
>> app-layer.protocols.http.libhtp.server-config =
>> app-layer.protocols.modbus = (null)
>> app-layer.protocols.modbus.enabled = no
>> app-layer.protocols.modbus.detection-ports = (null)
>> app-layer.protocols.modbus.detection-ports.dp = 502
>> app-layer.protocols.modbus.stream-depth = 0
>> app-layer.protocols.dnp3 = (null)
>> app-layer.protocols.dnp3.enabled = no
>> app-layer.protocols.dnp3.detection-ports = (null)
>> app-layer.protocols.dnp3.detection-ports.dp = 20000
>> app-layer.protocols.enip = (null)
>> app-layer.protocols.enip.enabled = no
>> app-layer.protocols.enip.detection-ports = (null)
>> app-layer.protocols.enip.detection-ports.dp = 44818
>> app-layer.protocols.enip.detection-ports.sp = 44818
>> app-layer.protocols.ntp = (null)
>> app-layer.protocols.ntp.enabled = no
>> app-layer.protocols.dhcp = (null)
>> app-layer.protocols.dhcp.enabled = no
>> asn1-max-frames = 256
>> coredump = (null)
>> coredump.max-dump = unlimited
>> host-mode = auto
>> unix-command = (null)
>> unix-command.enabled = auto
>> legacy = (null)
>> legacy.uricontent = enabled
>> engine-analysis = (null)
>> engine-analysis.rules-fast-pattern = yes
>> engine-analysis.rules = yes
>> pcre = (null)
>> pcre.match-limit = 3500
>> pcre.match-limit-recursion = 1500
>> host-os-policy = (null)
>> host-os-policy.windows = (null)
>> host-os-policy.windows.0 = 0.0.0.0/0
>> host-os-policy.bsd = (null)
>> host-os-policy.bsd-right = (null)
>> host-os-policy.old-linux = (null)
>> host-os-policy.linux = (null)
>> host-os-policy.old-solaris = (null)
>> host-os-policy.solaris = (null)
>> host-os-policy.hpux10 = (null)
>> host-os-policy.hpux11 = (null)
>> host-os-policy.irix = (null)
>> host-os-policy.macos = (null)
>> host-os-policy.vista = (null)
>> host-os-policy.windows2k3 = (null)
>> defrag = (null)
>> defrag.memcap = 32mb
>> defrag.hash-size = 65536
>> defrag.trackers = 65535
>> defrag.max-frags = 65535
>> defrag.prealloc = yes
>> defrag.timeout = 60
>> flow = (null)
>> flow.memcap = 128mb
>> flow.hash-size = 65536
>> flow.prealloc = 10000
>> flow.emergency-recovery = 30
>> vlan = (null)
>> vlan.use-for-tracking = true
>> flow-timeouts = (null)
>> flow-timeouts.default = (null)
>> flow-timeouts.default.new = 30
>> flow-timeouts.default.established = 300
>> flow-timeouts.default.closed = 0
>> flow-timeouts.default.bypassed = 100
>> flow-timeouts.default.emergency-new = 10
>> flow-timeouts.default.emergency-established = 100
>> flow-timeouts.default.emergency-closed = 0
>> flow-timeouts.default.emergency-bypassed = 50
>> flow-timeouts.tcp = (null)
>> flow-timeouts.tcp.new = 60
>> flow-timeouts.tcp.established = 600
>> flow-timeouts.tcp.closed = 60
>> flow-timeouts.tcp.bypassed = 100
>> flow-timeouts.tcp.emergency-new = 5
>> flow-timeouts.tcp.emergency-established = 100
>> flow-timeouts.tcp.emergency-closed = 10
>> flow-timeouts.tcp.emergency-bypassed = 50
>> flow-timeouts.udp = (null)
>> flow-timeouts.udp.new = 30
>> flow-timeouts.udp.established = 300
>> flow-timeouts.udp.bypassed = 100
>> flow-timeouts.udp.emergency-new = 10
>> flow-timeouts.udp.emergency-established = 100
>> flow-timeouts.udp.emergency-bypassed = 50
>> flow-timeouts.icmp = (null)
>> flow-timeouts.icmp.new = 30
>> flow-timeouts.icmp.established = 300
>> flow-timeouts.icmp.bypassed = 100
>> flow-timeouts.icmp.emergency-new = 10
>> flow-timeouts.icmp.emergency-established = 100
>> flow-timeouts.icmp.emergency-bypassed = 50
>> stream = (null)
>> stream.memcap = 64mb
>> stream.checksum-validation = yes
>> stream.inline = auto
>> stream.reassembly = (null)
>> stream.reassembly.memcap = 256mb
>> stream.reassembly.depth = 1mb
>> stream.reassembly.toserver-chunk-size = 2560
>> stream.reassembly.toclient-chunk-size = 2560
>> stream.reassembly.randomize-chunk-size = yes
>> host = (null)
>> host.hash-size = 4096
>> host.prealloc = 1000
>> host.memcap = 32mb
>> decoder = (null)
>> decoder.teredo = (null)
>> decoder.teredo.enabled = true
>> detect = (null)
>> detect.profile = medium
>> detect.custom-values = (null)
>> detect.custom-values.toclient-groups = 3
>> detect.custom-values.toserver-groups = 25
>> detect.sgh-mpm-context = auto
>> detect.inspection-recursion-limit = 3000
>> detect.prefilter = (null)
>> detect.prefilter.default = mpm
>> detect.grouping =
>> detect.profiling = (null)
>> detect.profiling.grouping = (null)
>> detect.profiling.grouping.dump-to-disk = false
>> detect.profiling.grouping.include-rules = false
>> detect.profiling.grouping.include-mpm-stats = false
>> mpm-algo = auto
>> spm-algo = auto
>> threading = (null)
>> threading.set-cpu-affinity = no
>> threading.cpu-affinity = (null)
>> threading.cpu-affinity.0 = management-cpu-set
>> threading.cpu-affinity.0.management-cpu-set = (null)
>> threading.cpu-affinity.0.management-cpu-set.cpu = (null)
>> threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
>> threading.cpu-affinity.1 = receive-cpu-set
>> threading.cpu-affinity.1.receive-cpu-set = (null)
>> threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
>> threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
>> threading.cpu-affinity.2 = worker-cpu-set
>> threading.cpu-affinity.2.worker-cpu-set = (null)
>> threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
>> threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all
>> threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
>> threading.cpu-affinity.2.worker-cpu-set.prio = (null)
>> threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
>> threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
>> threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
>> threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2
>> threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
>> threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3
>> threading.cpu-affinity.2.worker-cpu-set.prio.default = medium
>> threading.detect-thread-ratio = 1.0
>> luajit = (null)
>> luajit.states = 128
>> profiling = (null)
>> profiling.rules = (null)
>> profiling.rules.enabled = yes
>> profiling.rules.filename = rule_perf.log
>> profiling.rules.append = yes
>> profiling.rules.limit = 10
>> profiling.rules.json = yes
>> profiling.keywords = (null)
>> profiling.keywords.enabled = yes
>> profiling.keywords.filename = keyword_perf.log
>> profiling.keywords.append = yes
>> profiling.prefilter = (null)
>> profiling.prefilter.enabled = yes
>> profiling.prefilter.filename = prefilter_perf.log
>> profiling.prefilter.append = yes
>> profiling.rulegroups = (null)
>> profiling.rulegroups.enabled = yes
>> profiling.rulegroups.filename = rule_group_perf.log
>> profiling.rulegroups.append = yes
>> profiling.packets = (null)
>> profiling.packets.enabled = yes
>> profiling.packets.filename = packet_stats.log
>> profiling.packets.append = yes
>> profiling.packets.csv = (null)
>> profiling.packets.csv.enabled = no
>> profiling.packets.csv.filename = packet_stats.csv
>> profiling.locks = (null)
>> profiling.locks.enabled = no
>> profiling.locks.filename = lock_stats.log
>> profiling.locks.append = yes
>> profiling.pcap-log = (null)
>> profiling.pcap-log.enabled = no
>> profiling.pcap-log.filename = pcaplog_stats.log
>> profiling.pcap-log.append = yes
>> nfq =
>> nflog = (null)
>> nflog.0 = group
>> nflog.0.group = 2
>> nflog.0.buffer-size = 18432
>> nflog.1 = group
>> nflog.1.group = default
>> nflog.1.qthreshold = 1
>> nflog.1.qtimeout = 100
>> nflog.1.max-size = 20000
>> capture =
>> netmap = (null)
>> netmap.0 = interface
>> netmap.0.interface = eth2
>> netmap.1 = interface
>> netmap.1.interface = default
>> pfring = (null)
>> pfring.0 = interface
>> pfring.0.interface = eth0
>> pfring.0.threads = 1
>> pfring.0.cluster-id = 99
>> pfring.0.cluster-type = cluster_flow
>> pfring.1 = interface
>> pfring.1.interface = default
>> ipfw =
>> napatech = (null)
>> napatech.hba = -1
>> napatech.use-all-streams = yes
>> napatech.streams = (null)
>> napatech.streams.0 = 0-3
>> mpipe = (null)
>> mpipe.load-balance = dynamic
>> mpipe.iqueue-packets = 2048
>> mpipe.inputs = (null)
>> mpipe.inputs.0 = interface
>> mpipe.inputs.0.interface = xgbe2
>> mpipe.inputs.1 = interface
>> mpipe.inputs.1.interface = xgbe3
>> mpipe.inputs.2 = interface
>> mpipe.inputs.2.interface = xgbe4
>> mpipe.stack = (null)
>> mpipe.stack.size128 = 0
>> mpipe.stack.size256 = 9
>> mpipe.stack.size512 = 0
>> mpipe.stack.size1024 = 0
>> mpipe.stack.size1664 = 7
>> mpipe.stack.size4096 = 0
>> mpipe.stack.size10386 = 0
>> mpipe.stack.size16384 = 0
>> default-rule-path = /etc/suricata/rules
>> rule-files = (null)
>> rule-files.0 = carl.rules
>>
>>
>> [root at localhost filestore]# suricata -r /root/foo.cap -v -c
>> /etc/suricata/suricata.yaml
>> 15/8/2018 -- 20:02:01 - <Notice> - This is Suricata version 4.1.0-rc1
>> RELEASE
>> 15/8/2018 -- 20:02:01 - <Info> - CPUs/cores online: 1
>> 15/8/2018 -- 20:02:01 - <Info> - fast output device (regular)
>> initialized: fast.log
>> 15/8/2018 -- 20:02:01 - <Info> - eve-log output device (regular)
>> initialized: eve.json
>> 15/8/2018 -- 20:02:01 - <Info> - stats output device (regular)
>> initialized: stats.log
>> 15/8/2018 -- 20:02:01 - <Info> - file-log output device (regular)
>> initialized: files-json.log
>> 15/8/2018 -- 20:02:01 - <Info> - 1 rule files processed. 1 rules
>> successfully loaded, 0 rules failed
>> 15/8/2018 -- 20:02:01 - <Info> - Threshold config parsed: 0 rule(s) found
>> 15/8/2018 -- 20:02:01 - <Info> - 1 signatures processed. 0 are IP-only
>> rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are
>> decoder event only
>> 15/8/2018 -- 20:02:01 - <Info> - Checking file or directory /root/foo.cap
>> 15/8/2018 -- 20:02:01 - <Info> - /root/foo.cap: Plain file, not a
>> directory
>> 15/8/2018 -- 20:02:01 - <Info> - Argument /root/foo.cap was a file
>> 15/8/2018 -- 20:02:01 - <Notice> - all 2 packet processing threads, 4
>> management threads initialized, engine started.
>> 15/8/2018 -- 20:02:01 - <Info> - Starting file run for /root/foo.cap
>> 15/8/2018 -- 20:02:01 - <Info> - No packets with invalid checksum,
>> assuming checksum offloading is NOT used
>> 15/8/2018 -- 20:02:01 - <Info> - pcap file /root/foo.cap end of file
>> reached (pcap err code 0)
>> 15/8/2018 -- 20:02:01 - <Notice> - Signal Received. Stopping engine.
>> 15/8/2018 -- 20:02:01 - <Info> - time elapsed 0.256s
>> 15/8/2018 -- 20:02:01 - <Notice> - Pcap-file module read 1 files, 6660
>> packets, 2777051 bytes
>> 15/8/2018 -- 20:02:01 - <Info> - (W#01) Files logged: 159
>> 15/8/2018 -- 20:02:01 - <Info> - Alerts: 2
>> 15/8/2018 -- 20:02:01 - <Info> - cleaning up signature grouping
>> structure... complete
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180816/aa7783ca/attachment-0001.html>
More information about the Oisf-users
mailing list