pevma
commented
3 years ago There are no err msgs in suricata.log , everything looks good there?
Closed ManuelFFF closed 3 years ago
pevma
commented
3 years ago There are no err msgs in suricata.log , everything looks good there?
ManuelFFF
commented
3 years ago This is from Scirius. I can't even test the rule. I don't see anything wrong with this rule.
pevma
commented
3 years ago I think the problem is that it can not find a geoip databse (you need to get one, as it is not easily distributed )
Unable to locate a GeoIP2database filename in YAML conf. GeoIP rule matching is disabled.I have included the following in Suricata config file, with permissions 644 (everybody can read the file):
geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb
pevma
commented
3 years ago Is there an error in /var/log/suricata/suricata.log?
ManuelFFF
commented
3 years ago Not that I can see. The above error comes from Scirius while attempting to upload new rules. It never gets to the point when it pushes new rules to Suricata and reloads it, so I think Suricata is not aware of the error. I believe it's just Scirius, because I am not doing it right.
Am I missing an specific format?
I am using the same file where I have the rules for IPREP. Can't different types of rules be mixed within a same signatures file?
pevma
commented
3 years ago Can you upload the suricata.log if ok ?
ManuelFFF
commented
3 years ago I have been busy with other stuffs, but soon I will send the log you requested. I apologize for the delay
ManuelFFF
commented
3 years ago Every time that I attempt to upload the GeoIP rules via Scirius and fails with the known error, I cancel the action and Suricata never gets the new settings, so I don't see the log changing while being monitored in real time. That being said, I will share Suricata logs after just restart the service. If you need me to perform any other action expected to be reflected on the logs, please let me know. Note: I changed the log to be very verbose....
[3182] 24/2/2021 -- 15:35:02 - (suricata.c:2620) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[3227] 24/2/2021 -- 15:35:02 - (flow-manager.c:1032) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[3182] 24/2/2021 -- 15:35:02 - (suricata.c:1077) <Info> (SCPrintElapsedTime) -- time elapsed 48837.234s
[3228] 24/2/2021 -- 15:35:02 - (flow-manager.c:1239) <Perf> (FlowRecycler) -- 45137 flows processed
[3225] 24/2/2021 -- 15:35:02 - (source-af-packet.c:2822) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-enxa..2d70) Kernel: Packets 44995, dropped 0
[3226] 24/2/2021 -- 15:35:02 - (source-af-packet.c:2822) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-enxa..2e2e) Kernel: Packets 2431060, dropped 0
[3182] 24/2/2021 -- 15:35:02 - (counters.c:854) <Info> (StatsLogSummary) -- Alerts: 59
[3182] 24/2/2021 -- 15:35:02 - (ippair.c:294) <Perf> (IPPairPrintStats) -- ippair memory usage: 414144 bytes, maximum: 16777216
[3182] 24/2/2021 -- 15:35:02 - (host.c:299) <Perf> (HostPrintStats) -- host memory usage: 9496272 bytes, maximum: 33554432
[24836] 24/2/2021 -- 15:35:06 - (suricata.c:1058) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (00d7c9034 2021-01-22) running in SYSTEM mode
[24836] 24/2/2021 -- 15:35:06 - (util-cpu.c:178) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 4
[24836] 24/2/2021 -- 15:35:06 - (util-device.c:328) <Config> (LiveBuildDeviceListCustom) -- Adding interface enxa0cec8d92d70 from config file
[24836] 24/2/2021 -- 15:35:06 - (util-device.c:328) <Config> (LiveBuildDeviceListCustom) -- Adding interface enxa0cec8d92e2e from config file
[24836] 24/2/2021 -- 15:35:06 - (util-luajit.c:98) <Config> (LuajitSetupStatesPool) -- luajit states preallocated: 128
[24836] 24/2/2021 -- 15:35:06 - (app-layer-htp.c:2448) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 34332 and 'request-body-inspect-window' set to 4034 after randomization.
[24836] 24/2/2021 -- 15:35:06 - (app-layer-htp.c:2466) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 39060 and 'response-body-inspect-window' set to 16867 after randomization.
[24836] 24/2/2021 -- 15:35:06 - (app-layer-smb.c:315) <Config> (RegisterSMBParsers) -- SMB stream depth: 0
[24836] 24/2/2021 -- 15:35:06 - (app-layer-modbus.c:1494) <Config> (RegisterModbusParsers) -- Modbus request flood protection level: 500
[24836] 24/2/2021 -- 15:35:06 - (app-layer-modbus.c:1505) <Config> (RegisterModbusParsers) -- Modbus stream depth: 0
[24836] 24/2/2021 -- 15:35:06 - (app-layer-dnp3.c:1615) <Config> (RegisterDNP3Parsers) -- Registering DNP3/tcp parsers.
[24836] 24/2/2021 -- 15:35:06 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enxa0cec8d92d70'
[24836] 24/2/2021 -- 15:35:06 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enxa0cec8d92d70'
[24836] 24/2/2021 -- 15:35:06 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enxa0cec8d92e2e'
[24836] 24/2/2021 -- 15:35:06 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enxa0cec8d92e2e'
[24837] 24/2/2021 -- 15:35:06 - (host.c:259) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[24837] 24/2/2021 -- 15:35:06 - (host.c:282) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136
[24837] 24/2/2021 -- 15:35:06 - (host.c:284) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432
[24837] 24/2/2021 -- 15:35:06 - (util-coredump-config.c:149) <Config> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[24837] 24/2/2021 -- 15:35:06 - (util-device.c:263) <Info> (LiveSafeDeviceName) -- Shortening device name to: enxa..2d70
[24837] 24/2/2021 -- 15:35:06 - (util-device.c:263) <Info> (LiveSafeDeviceName) -- Shortening device name to: enxa..2e2e
[24837] 24/2/2021 -- 15:35:06 - (suricata.c:2360) <Info> (PostDeviceFinalizedSetup) -- AF_PACKET: Setting IPS mode
[24837] 24/2/2021 -- 15:35:06 - (defrag-hash.c:254) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[24837] 24/2/2021 -- 15:35:06 - (defrag-hash.c:279) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 160
[24837] 24/2/2021 -- 15:35:06 - (defrag-hash.c:286) <Config> (DefragInitConfig) -- defrag memory usage: 14155616 bytes, maximum: 33554432
[24837] 24/2/2021 -- 15:35:06 - (flow.c:638) <Config> (FlowInitConfig) -- flow size 320, memcap allows for 419430 flows. Per hash row in perfect conditions 6
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:399) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:418) <Config> (StreamTcpInitConfig) -- stream "memcap": 67108864
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:424) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:430) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:447) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:475) <Config> (StreamTcpInitConfig) -- stream."inline": enabled
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:488) <Config> (StreamTcpInitConfig) -- stream "bypass": disabled
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:510) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:532) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 268435456
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:550) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:625) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2517
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:627) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2435
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp.c:639) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
[24837] 24/2/2021 -- 15:35:06 - (stream-tcp-reassemble.c:377) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048
[24837] 24/2/2021 -- 15:35:06 - (util-privs.c:92) <Info> (SCDropMainThreadCaps) -- dropped the caps for main thread
[24837] 24/2/2021 -- 15:35:06 - (util-logopenfile.c:597) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[24837] 24/2/2021 -- 15:35:06 - (output-json.c:1231) <Config> (OutputJsonInitCtx) -- Enabling eve community_id logging.
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'anomaly'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'flow'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'http'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tls'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'files'
[24837] 24/2/2021 -- 15:35:06 - (output-json-file.c:327) <Config> (OutputFileLogInitSub) -- forcing magic lookup for logged files
[24837] 24/2/2021 -- 15:35:06 - (util-file.c:207) <Config> (FileForceHashParseCfg) -- forcing md5 calculation for logged or stored files
[24837] 24/2/2021 -- 15:35:06 - (util-file.c:217) <Config> (FileForceHashParseCfg) -- forcing sha1 calculation for logged or stored files
[24837] 24/2/2021 -- 15:35:06 - (util-file.c:227) <Config> (FileForceHashParseCfg) -- forcing sha256 calculation for logged or stored files
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'drop'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smtp'
[24837] 24/2/2021 -- 15:35:06 - (output-json-email-common.c:427) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[24837] 24/2/2021 -- 15:35:06 - (output-json-email-common.c:431) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dnp3'
[24837] 24/2/2021 -- 15:35:06 - (output-json-dnp3.c:299) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[24837] 24/2/2021 -- 15:35:06 - (output-json-dnp3.c:299) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ftp'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'rdp'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'nfs'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smb'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tftp'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ikev2'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'krb5'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'snmp'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'rfb'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'sip'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ssh'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dhcp'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'stats'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'flow'
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:641) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'metadata'
[24837] 24/2/2021 -- 15:35:06 - (log-pcap.c:1307) <Info> (PcapLogInitCtx) -- Using log dir /data/nsm/
[24837] 24/2/2021 -- 15:35:06 - (log-pcap.c:1418) <Info> (PcapLogInitCtx) -- Selected pcap-log compression method: none
[24837] 24/2/2021 -- 15:35:06 - (log-pcap.c:1422) <Info> (PcapLogInitCtx) -- using multi logging
[24837] 24/2/2021 -- 15:35:06 - (util-logopenfile.c:597) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[24837] 24/2/2021 -- 15:35:06 - (runmodes.c:851) <Warning> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named drop
[24837] 24/2/2021 -- 15:35:06 - (suricata.c:2182) <Config> (SetupDelayedDetect) -- Delayed detect disabled
[24837] 24/2/2021 -- 15:35:06 - (util-conf.c:161) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[24837] 24/2/2021 -- 15:35:06 - (detect-engine.c:1929) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: hs, SPM: hs
[24837] 24/2/2021 -- 15:35:06 - (detect-engine.c:2333) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[24837] 24/2/2021 -- 15:35:06 - (detect-engine.c:2357) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist 53, 135, 5060
[24837] 24/2/2021 -- 15:35:06 - (detect-engine.c:2391) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM and keywords
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_request_line
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_client_body
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_response_line
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dns_query
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.sni
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_issuer
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_subject
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_serial
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.certs
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.hash
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.string
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.hash
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.string
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_named_pipe
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_share
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.string
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server.string
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_cname
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_sname
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.uri
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.stat_msg
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.request_line
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.response_line
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for rfb.name
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.clientid
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.username
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.password
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willtopic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willmessage
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.topic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.message
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.subscribe.topic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.unsubscribe.topic
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv4.hdr
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for tcp.hdr
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for udp.hdr
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv6.hdr
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv4.hdr
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv6.hdr
[24837] 24/2/2021 -- 15:35:06 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/scirius-iprep.list
[24837] 24/2/2021 -- 15:35:06 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/test-iprepv4.list
[24837] 24/2/2021 -- 15:35:06 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/test-iprepv6.list
[24837] 24/2/2021 -- 15:35:06 - (host.c:299) <Perf> (HostPrintStats) -- host memory usage: 9496136 bytes, maximum: 33554432
[24837] 24/2/2021 -- 15:35:06 - (detect-engine-loader.c:251) <Config> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/scirius.rules
[24837] 24/2/2021 -- 15:35:13 - (detect-classtype.c:150) <Warning> (DetectClasstypeSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/suricata/rules/scirius.rules:23945 uses unknown classtype: "bad-ip", using default priority 3. This message won't be shown again for this classtype
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-loader.c:355) <Info> (SigLoadSignatures) -- 1 rule files processed. 23958 rules successfully loaded, 0 rules failed
[24837] 24/2/2021 -- 15:35:13 - (util-threshold-config.c:1091) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405000: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405001: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405002: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405003: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405004: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405005: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405006: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405007: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405008: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405009: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405010: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405011: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405012: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405013: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405014: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405015: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405016: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2405017: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2014385: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2008542: prefilter is on "dsize"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2013506: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001219: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2002910: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2002911: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2003068: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2010935: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2010936: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2010937: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2010938: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2010939: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001569: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001579: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001580: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001581: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001582: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001583: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2001972: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2002992: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2002993: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2002994: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2002995: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1397) <Config> (SigAddressPrepareStage1) -- sid 2013479: prefilter is on "tcp.flags"
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1420) <Info> (SigAddressPrepareStage1) -- 23961 signatures processed. 24 are IP-only rules, 4032 are inspecting packet payload, 19849 inspect application layer, 0 are decoder event only
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1423) <Config> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[24837] 24/2/2021 -- 15:35:13 - (detect-flowbits.c:590) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Hancitor' is checked but not set. Checked in 2024605 and 0 other sigs
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- TCP toserver: 76 port groups, 59 unique SGH's, 17 copies
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- TCP toclient: 76 port groups, 45 unique SGH's, 31 copies
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- UDP toserver: 76 port groups, 49 unique SGH's, 27 copies
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- UDP toclient: 49 port groups, 27 unique SGH's, 22 copies
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1009) <Perf> (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
[24837] 24/2/2021 -- 15:35:13 - (detect-engine-build.c:1046) <Perf> (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-build.c:1790) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 183
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 34
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 30
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 31
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 36
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 49
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 26
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri (http)": 13
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_request_line (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_client_body (http)": 5
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_response_line (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header (http)": 6
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header (http)": 6
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header_names (http)": 3
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header_names (http)": 3
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept_enc (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_referer (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_connection (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_len (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_len (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_type (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_type (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http.server (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http.location (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_protocol (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_protocol (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_start (http)": 4
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_start (http)": 4
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_header (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_raw_header (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_method (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_cookie (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_cookie (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent (http)": 6
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_host (http)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_host (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_stat_code (http)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query (dns)": 4
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query (dns)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver tls.sni (tls)": 3
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver tls.sni (tls)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_issuer (tls)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_subject (tls)": 2
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_serial (tls)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver ja3.hash (tls)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient ja3s.hash (tls)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver ssh.proto (ssh)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient ssh.proto (ssh)": 1
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smtp)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (http)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smb)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (smb)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (http2)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (http2)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (ftp-data)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (ftp-data)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (ftp)": 7
[24837] 24/2/2021 -- 15:35:32 - (detect-engine-mpm.c:1161) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (ftp)": 7
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:278) <Info> (ParseAFPConfig) -- AF_PACKET IPS mode activated enxa0cec8d92d70->enxa0cec8d92e2e
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:321) <Config> (ParseAFPConfig) -- Using flow cluster mode for AF_PACKET (iface enxa0cec8d92d70)
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:325) <Config> (ParseAFPConfig) -- Using defrag kernel functionality for AF_PACKET (iface enxa0cec8d92d70)
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:379) <Config> (ParseAFPConfig) -- Going to use bpf filter not host 192.168.1.150
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:708) <Config> (ParseAFPConfig) -- enxa0cec8d92d70: enabling zero copy mode by using data release call
[24837] 24/2/2021 -- 15:35:41 - (util-runmodes.c:264) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[24880] 24/2/2021 -- 15:35:41 - (source-af-packet.c:2772) <Warning> (ReceiveAFPThreadInit) -- [ERRCODE: SC_WARN_UNCOMMON(230)] - Enabling a BPF filter in IPS mode result in dropping all non matching packets.
[24880] 24/2/2021 -- 15:35:41 - (log-pcap.c:761) <Info> (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap.
[24880] 24/2/2021 -- 15:35:41 - (log-pcap.c:902) <Notice> (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files.
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:278) <Info> (ParseAFPConfig) -- AF_PACKET IPS mode activated enxa0cec8d92e2e->enxa0cec8d92d70
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:321) <Config> (ParseAFPConfig) -- Using flow cluster mode for AF_PACKET (iface enxa0cec8d92e2e)
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:325) <Config> (ParseAFPConfig) -- Using defrag kernel functionality for AF_PACKET (iface enxa0cec8d92e2e)
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:379) <Config> (ParseAFPConfig) -- Going to use bpf filter not host 192.168.1.150
[24837] 24/2/2021 -- 15:35:41 - (runmode-af-packet.c:708) <Config> (ParseAFPConfig) -- enxa0cec8d92e2e: enabling zero copy mode by using data release call
[24837] 24/2/2021 -- 15:35:41 - (util-runmodes.c:264) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[24881] 24/2/2021 -- 15:35:41 - (source-af-packet.c:2772) <Warning> (ReceiveAFPThreadInit) -- [ERRCODE: SC_WARN_UNCOMMON(230)] - Enabling a BPF filter in IPS mode result in dropping all non matching packets.
[24881] 24/2/2021 -- 15:35:41 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enxa0cec8d92e2e'
[24881] 24/2/2021 -- 15:35:41 - (util-ioctl.c:112) <Info> (GetIfaceMTU) -- Found an MTU of 1500 for 'enxa0cec8d92d70'
[24881] 24/2/2021 -- 15:35:41 - (log-pcap.c:761) <Info> (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap.
[24881] 24/2/2021 -- 15:35:41 - (log-pcap.c:902) <Notice> (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files.
[24837] 24/2/2021 -- 15:35:41 - (flow-manager.c:1065) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads
[24837] 24/2/2021 -- 15:35:41 - (flow-manager.c:1268) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
[24837] 24/2/2021 -- 15:35:41 - (util-conf.c:161) <Info> (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket
[24837] 24/2/2021 -- 15:35:41 - (unix-manager.c:132) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[24837] 24/2/2021 -- 15:35:41 - (tm-threads.c:2004) <Notice> (TmThreadWaitOnThreadInit) -- Threads created -> W: 2 FM: 1 FR: 1 Engine started.
[24880] 24/2/2021 -- 15:35:41 - (source-af-packet.c:2124) <Perf> (AFPCreateSocket) -- Setting AF_PACKET socket buffer to 64535
[24880] 24/2/2021 -- 15:35:41 - (source-af-packet.c:1744) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1600 frame_nr=2060
[24880] 24/2/2021 -- 15:35:41 - (source-af-packet.c:2243) <Info> (AFPSetBPFFilter) -- Using BPF 'not host 192.168.1.150' on iface 'enxa0cec8d92d70'
[24881] 24/2/2021 -- 15:35:41 - (source-af-packet.c:2124) <Perf> (AFPCreateSocket) -- Setting AF_PACKET socket buffer to 64535
[24881] 24/2/2021 -- 15:35:41 - (source-af-packet.c:1744) <Perf> (AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1600 frame_nr=2060
[24881] 24/2/2021 -- 15:35:41 - (source-af-packet.c:2243) <Info> (AFPSetBPFFilter) -- Using BPF 'not host 192.168.1.150' on iface 'enxa0cec8d92e2e'
[24881] 24/2/2021 -- 15:35:41 - (source-af-packet.c:507) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
Have you found anything wrong so far?
pevma
commented
3 years ago These two seem to jump out of the log output to me -
[24837] 24/2/2021 -- 15:35:13 - (detect-classtype.c:150) <Warning> (DetectClasstypeSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/suricata/rules/scirius.rules:23945 uses unknown classtype: "bad-ip", using default priority 3. This message won't be shown again for this classtypeand
[24881] 24/2/2021 -- 15:35:41 - (source-af-packet.c:2772) <Warning> (ReceiveAFPThreadInit) -- [ERRCODE: SC_WARN_UNCOMMON(230)] - Enabling a BPF filter in IPS mode result in dropping all non matching packets.Both are warnings. For the first one, I was trying to define new classifications to put my rules in, but as soon as Scirius restarted it was deleted and I forgot to update my custom rules to not include the class anymore. Fixed
As for the second, another warning regarding the use of BPF filter. Well I just use the filter to exclude the host IP where Suricata is running, from detections of any kind. With that filter I am just telling Suricata to do not log any traffic/detection related to its own host. Do you think it could be related to the GeoIP engine failure? In my opinion there's no relation as all the other engines seems to be working fine, and IPS mode does not seems to be affected. I am stopping traffic (drop) with my IPREP rules.
ManuelFFF
commented
3 years ago If there is anything else you would like me to try on this, please let me know
pevma
commented
3 years ago The first one means it would not load any rules with that class - which is a lot i think. So you need to update the classification file. The second warning might yield unexpected results - aka you would expect a rule to fire but it will not for example - with respect tot hat bp filter.
ManuelFFF
commented
3 years ago I already removed my custom classification and updated all my custom rules. That warning is not showing anymore
As for the second warning, if you know another way to exclude Suricata host from all suricata detections, please show me the way.
pevma
commented
3 years ago You can use a bp filter or a pass rule - https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html
ManuelFFF
commented
3 years ago I'll take a look. Thanks
ManuelFFF
commented
3 years ago You can use a bp filter or a pass rule - https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html
That's the documentation that I used to set the BPF filter some time ago, excluding Suricata host from detections.
Anything about the GeoIP rules?
pevma
commented
3 years ago The only other thing I see there is
Can you please try the following test:
suricata -T -S test.rule -vv
where test rule only contains the geoip rule - and please share the output.
ManuelFFF
commented
3 years ago Currently Suricata does not have any GeoIP rules as they always fail when attempt to add them via Scirius. Or how should I run this test?
Should I stop Suricata, then execute the above command in CLI declaring a GeoIP rule inline?
pevma
commented
3 years ago No, just execute the command above with supplying the file that has the test rules. It should say verbosely on the cmd what is the problem.
ManuelFFF
commented
3 years ago OK. Testing now
ManuelFFF
commented
3 years ago user1@server1:~$ sudo suricata -T -S /home/user1/Downloads/geoipTR.rules -vv
[25781] 10/3/2021 -- 09:56:56 - (suricata.c:1058) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (00d7c9034 2021-01-22) running in SYSTEM mode
[25781] 10/3/2021 -- 09:56:56 - (util-cpu.c:178) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 4
[25781] 10/3/2021 -- 09:56:56 - (util-logopenfile.c:597) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[25781] 10/3/2021 -- 09:56:56 - (output-json-email-common.c:427) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[25781] 10/3/2021 -- 09:56:56 - (output-json-email-common.c:431) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[25781] 10/3/2021 -- 09:56:56 - (output-json-dnp3.c:299) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[25781] 10/3/2021 -- 09:56:56 - (output-json-dnp3.c:299) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[25781] 10/3/2021 -- 09:56:56 - (log-pcap.c:1307) <Info> (PcapLogInitCtx) -- Using log dir /data/nsm/
[25781] 10/3/2021 -- 09:56:56 - (log-pcap.c:1418) <Info> (PcapLogInitCtx) -- Selected pcap-log compression method: none
[25781] 10/3/2021 -- 09:56:56 - (log-pcap.c:1422) <Info> (PcapLogInitCtx) -- using multi logging
[25781] 10/3/2021 -- 09:56:56 - (util-logopenfile.c:597) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_request_line
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_client_body
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_response_line
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dns_query
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.sni
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_issuer
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_subject
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_serial
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.certs
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.hash
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.string
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.hash
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.string
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_named_pipe
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_share
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.string
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server.string
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_cname
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_sname
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.uri
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.stat_msg
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.request_line
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.response_line
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for rfb.name
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.clientid
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.username
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.password
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willtopic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willmessage
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.topic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.message
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.subscribe.topic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:247) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.unsubscribe.topic
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv4.hdr
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for tcp.hdr
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for udp.hdr
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv6.hdr
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv4.hdr
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:414) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv6.hdr
[25781] 10/3/2021 -- 09:56:56 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/scirius-iprep.list
[25781] 10/3/2021 -- 09:56:56 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/test-iprepv4.list
[25781] 10/3/2021 -- 09:56:56 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/test-iprepv6.list
[25781] 10/3/2021 -- 09:56:56 - (host.c:299) <Perf> (HostPrintStats) -- host memory usage: 8373728 bytes, maximum: 33554432
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-loader.c:355) <Info> (SigLoadSignatures) -- 1 rule files processed. 2 rules successfully loaded, 0 rules failed
[25781] 10/3/2021 -- 09:56:56 - (util-threshold-config.c:1091) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:471) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1420) <Info> (SigAddressPrepareStage1) -- 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- TCP toclient: 1 port groups, 1 unique SGH's, 0 copies
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- UDP toserver: 1 port groups, 1 unique SGH's, 0 copies
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1263) <Perf> (RulesGroupByPorts) -- UDP toclient: 1 port groups, 1 unique SGH's, 0 copies
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1009) <Perf> (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 1 unique SGH's, 253 copies
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1046) <Perf> (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1790) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 5
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 0
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 0
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 0
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 0
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 0
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 0
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-mpm.c:1153) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 0
[25781] 10/3/2021 -- 09:56:56 - (suricata.c:2776) <Notice> (SuricataMain) -- Configuration provided was successfully loaded. Exiting.
[25781] 10/3/2021 -- 09:56:56 - (host.c:299) <Perf> (HostPrintStats) -- host memory usage: 8373728 bytes, maximum: 33554432
[25781] 10/3/2021 -- 09:56:56 - (detect-engine-build.c:1722) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[25781] 10/3/2021 -- 09:56:56 - (util-mpm-hs.c:1078) <Perf> (MpmHSGlobalCleanup) -- Cleaning up Hyperscan global scratch
[25781] 10/3/2021 -- 09:56:56 - (util-mpm-hs.c:1086) <Perf> (MpmHSGlobalCleanup) -- Clearing Hyperscan database cacheApparently there is nothing wrong with the rules file. It looks like Scirius just does not like it :P
ManuelFFF
commented
3 years ago This is the content of the geoip rules file
alert ip any any -> any any (msg:"TEST Bad GeoIP"; geoip:any,RU; sid:20; rev:1;)
alert ip any any -> any any (msg:"GeoIP from JP,Japan"; geoip:JP; sid:21; rev:1;)I am ready to keep trying and troubleshooting. Thanks
pevma
commented
3 years ago On the original screenshot provided the sid version is 11 , here they are all 20 and 21. And that is the exact same file you try to load in Scirius ? Scirius basically executes the same test command.
ManuelFFF
commented
3 years ago By that time it was the 11th rule. Now I have more rules and I have reorganized a bit the order
ManuelFFF
commented
3 years ago Do you think there may be a bug in Scirius that prevents to properly process GeoIP rules, or I am missing or doing something wrong?
pevma
commented
3 years ago hm , should not be, as it basically does the check against the same suricata. Is this a SELKS install or stand alone Scirius ?
ManuelFFF
commented
3 years ago SELKS 6 Desktop.
I'm just saying, but testing the geoip rules with Suricata where successful. It's only failing when attempt to add those via Sirius. Geoip rules does not require a categories file to be uploaded in a .tar.gz file structure like IPREP rules does, so I'm just uploading a rule file with a couple of Geoip rules. I don't see where the issue may be, but I'm not an expert :P
What should be my next step?
pevma
commented
3 years ago Can you please try to click on ignore and continue - and check if it ends up in the scirius.rules file and if it behaves as expected?
ManuelFFF
commented
3 years ago I tried what you recommended and here are the results:
Got known error from Scirius, but skipped as requested
[23458] 17/3/2021 -- 14:32:53 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/scirius-iprep.list
[23458] 17/3/2021 -- 14:32:53 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/test-iprepv4.list
[23458] 17/3/2021 -- 14:32:53 - (reputation.c:635) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/iprep/test-iprepv6.list
[23458] 17/3/2021 -- 14:32:53 - (host.c:299) <Perf> (HostPrintStats) -- host memory usage: 8373728 bytes, maximum: 33554432
[23458] 17/3/2021 -- 14:32:53 - (detect-engine-loader.c:251) <Config> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/scirius.rules
[23458] 17/3/2021 -- 14:32:53 - (datasets.c:298) <Config> (DatasetLoadString) -- dataset: test-datasetDNS64v2 loading from '/etc/suricata/rules/dataset/test-datasetDNS64v2.lst'
[23458] 17/3/2021 -- 14:32:53 - (datasets.c:365) <Config> (DatasetLoadString) -- dataset: test-datasetDNS64v2 loaded 4 records
[23458] 17/3/2021 -- 14:32:53 - (detect-engine-loader.c:355) <Info> (SigLoadSignatures) -- 1 rule files processed. 3 rules successfully loaded, 0 rules failedIt looks like all rules where accepted by Suricata. Currently I have only 3 rules enabled for testings: 2 GeoIP rules and 1 dataset rule.
Rules where successfully added to scirius rules file
# Rules file for Default SELKS ruleset generated by Scirius at 2021-03-17 18:32:48.708319+00:00
drop dns any any -> any any (msg:"TEST Known Bad Domain"; dns.query; dataset:isset, test-datasetDNS64v2, type string, load /etc/suricata/rules/dataset/test-datasetDNS64v2.lst; sid:17; rev:1;)
drop ip any any -> any any (msg:"TEST Bad GeoIP"; geoip:any,RU; sid:20; rev:1;)
drop ip any any -> any any (msg:"GeoIP from JP,Japan"; geoip:JP; sid:21; rev:1;)When testing with some traffic:
logstash-alert-*eve.json in real time, not all sites generates alerts (this one does not 23.42.214.18) (this one does 210.227.117.59), but both respond to a geo-location in Japandrop packages (as you can se above in scirius.rules and below in scirius UI, not to block them. But instead of blocking or dropping it's just alerting, although the action in logs says blocked
So it's like working half way?
ManuelFFF
commented
3 years ago I fact I am seeing the drop in logs. I was wrong, never saw in action, but in event_type. Still traffic it's not being blocked.
{"timestamp":"2021-03-17T15:05:34.847431-0400","flow_id":439112405825749,"in_iface":"enxa0cec8d92d70","event_type":"drop","src_ip":"192.168.1.170","src_port":60930,"dest_ip":"210.227.117.59","dest_port":80,"proto":"TCP","community_id":"1:n+51ec1wbA3riBWvGfrA/pD/C6E=","drop":{"len":60,"tos":0,"ttl":64,"ipid":22539,"tcpseq":3901647760,"tcpack":0,"tcpwin":64240,"syn":true,"ack":false,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":21,"rev":1,"signature":"GeoIP from JP,Japan","category":"","severity":3}}
ManuelFFF
commented
3 years ago Just confirmed sites triggering alerts are also being blocked 210.227.117.59 - http://travel-japan.jp/eng/ 202.214.194.147 - https://www.japan.go.jp/japan/visit/
Sites not triggering alerts are not being blocked 23.42.214.18 - https://www.mofa.go.jp/ 23.42.213.169 - https://www.jnto.go.jp/
All four previous IPs shows that are geolocated in Japan, but just half are being blocked. I think this is because Suricata is failing to associate some of the IPs with Japan?
We got better results, but yet rule is working at 50%
pevma
commented
3 years ago This could be due to incomplete geoip db i think.
ManuelFFF
commented
3 years ago I am using the same geoip db maxmind that is shipped with ELK in SELKS
ManuelFFF
commented
3 years ago https://www.japantimes.co.jp/news/2021/02/04/national/japan-travel-restrictions/
The above site is triggering event_type: "alert" showing it's because of the geoip rule Japan and yet allowed the traffic. It is detecting that traffic is from/to Japan, so the geoip db seems to work
Well, to be precise it seems to be blocking some traffic related to the site (maybe add-ons, or advertisement, or external components) as I can see a lot of logs including event_type: "alert" following by another log with event_type: "drop", but at the end the site is loaded.
I feel we are getting closer. What would you recommend next?
ManuelFFF
commented
3 years ago Testing site https://www.japantimes.co.jp will not trigger any alert, but just event_type: dns, tls and flow
If I ping one of the site IPs (52.198.31.81) I got alerts and packets dropped
{"timestamp":"2021-03-17T17:12:42.491549-0400","flow_id":2239816596437165,"in_iface":"enxa0cec8d92d70","event_type":"alert","src_ip":"192.168.1.170","src_port":0,"dest_ip":"52.198.31.81","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"community_id":"1:W53jBDmAskO8hhM3Rex2VPrb7Sc=","alert":{"action":"blocked","gid":1,"signature_id":21,"rev":1,"signature":"GeoIP from JP,Japan","category":"","severity":3},"flow":{"pkts_toserver":51,"pkts_toclient":0,"bytes_toserver":4998,"bytes_toclient":0,"start":"2021-03-17T17:11:51.374957-0400"},"payload":"ynBSYAAAAADpdwcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=","payload_printable":".pR`.....w...................... !\"#$%&'()*+,-./01234567","stream":0,"packet":"cEylRs1hZABqItQVCABFAABUBIpAAEABH7bAqAGqNMYfUQgAxd1l0wAzynBSYAAAAADpdwcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=","packet_info":{"linktype":1}}
{"timestamp":"2021-03-17T17:12:42.491549-0400","flow_id":2239816596437165,"in_iface":"enxa0cec8d92d70","event_type":"drop","src_ip":"192.168.1.170","src_port":0,"dest_ip":"52.198.31.81","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"community_id":"1:W53jBDmAskO8hhM3Rex2VPrb7Sc=","drop":{"len":84,"tos":0,"ttl":64,"ipid":1162,"icmp_id":54117,"icmp_seq":13056},"alert":{"action":"blocked","gid":1,"signature_id":21,"rev":1,"signature":"GeoIP from JP,Japan","category":"","severity":3}}If I ping the second IP (35.73.33.237) all packets are lost, but not a single log entry in eve.json
ManuelFFF
commented
3 years ago pevma
commented
3 years ago I think the public geoip DB is not full/complete.
ManuelFFF
commented
3 years ago Following your advice I downloaded a recent version of maxmind GeoLite2-Country.mmdb. After resstarting Suricata and testing the same sites, all of them were successfully blocked this time.
We still have Scirius showing erros for geoip rules that we know are fine, accepted and working in Suricata. How can we remove this errors, so we can upload and update geoip rules without issues?
pevma
commented
3 years ago Let me check couple of things and i will get back to you.
ManuelFFF
commented
3 years ago Hi. Where you able to find anything? Thanks
pevma
commented
3 years ago I cant find out why exactly - but can reproduce it now. I think for the time being you can just ignore the error during the initial setup.
ManuelFFF
commented
3 years ago Ok. Then for now I will just ignore the Scirius errors and will run it the way it is. Can I trust that there will be a fix in future releases/updates?
Thanks
pevma
commented
3 years ago Yep, next release will address that if it is entirely Scirius. (or in anyway)
ManuelFFF
commented
3 years ago Thank you for your time and help.
Hi,
I am trying to use the GEOIP feature to block traffic per location, but the rules defined so far are not being accepted by Scirius, not even the examples copied and pasted from the official documentation. I am sure that I am missing a very small detail, but I can't find what it could be.
alert ip any any -> any any (msg:"TEST Bad GeoIP"; geoip:any,RU,CN,KR,KP,UA; sid:11; rev:1;)Please help! Thank you