search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.48k stars 285 forks source link

Suricata in red amd ElasticSearch orange after setup #90

Open techkid107 opened 7 years ago

techkid107 commented 7 years ago

I just finished setting up Selks but I am unable to view logs. Suricata on the dashboard appears red as if the service isnt working. I have already setup the IDS interface but I'm stuck.

pevma commented 7 years ago

What's the output of - systemctl status suricata ? and do you have the interface up?

techkid107 commented 7 years ago

Hi, please see the below output. The interface light is up but Im not sure if it is actually up

● suricata.service - LSB: Next Generation IDS/IPS Loaded: loaded (/etc/init.d/suricata; generated; vendor preset: enabled) Active: active (exited) since Wed 2017-10-25 02:02:37 CDT; 6h ago Docs: man:systemd-sysv-generator(8) Process: 16250 ExecStop=/etc/init.d/suricata stop (code=exited, status=1/FAILURE) Process: 16258 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 7372) CGroup: /system.slice/suricata.service

Oct 25 02:02:37 SELKS systemd[1]: Starting LSB: Next Generation IDS/IPS... Oct 25 02:02:37 SELKS suricata[16258]: Starting suricata in IDS (af-packet) mode... done. Oct 25 02:02:37 SELKS systemd[1]: Started LSB: Next Generation IDS/IPS. root@SELKS:~#

pevma commented 7 years ago

ok - maybe a quick ifconfig will show you if the interface is up.

Can you please share the output of : 

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet  -v --user=logstash
techkid107 commented 7 years ago

The ifconfig isnt listing the interface. Might be that it doesnt have an IP address allocated since its only sniffing.

[22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:241) (ConfYamlParse) -- Including configuration file /etc/suricata/selks4-addin.yaml. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'default-rule-path' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'rule-files' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'classification-file' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'reference-config-file' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'detect' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'default-log-dir' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'stats' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'outputs' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'logging' redefined. [22602] 25/10/2017 -- 08:57:51 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Configuration node 'af-packet' redefined. [22602] 25/10/2017 -- 08:57:51 - (suricata.c:1109) (LogVersion) -- This is Suricata version 4.0.0-dev (rev b8428378) [22602] 25/10/2017 -- 08:57:51 - (util-cpu.c:171) (UtilCpuPrintSummary) -- CPUs/cores online: 4 [22602] 25/10/2017 -- 08:57:51 - (util-ioctl.c:107) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno2' [22602] 25/10/2017 -- 08:57:51 - (util-ioctl.c:107) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno2' [22602] 25/10/2017 -- 08:57:51 - (util-pidfile.c:129) (SCPidfileTestRunning) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!

pevma commented 7 years ago

ok. Remove the pid and do service restart - 

rm /var/run/suricata.pid 
systemctl restart suricata
techkid107 commented 7 years ago

I did that and it came up for about a minute then stopped working again.

pevma commented 7 years ago

ok. Lets try it in a different way:

rm /var/run/suricata.pid 

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet  -vv --user=logstash

What would be the output?

intercake commented 6 years ago

Pevma, your rm pid instructions worked for me. The issue occured after setting up the NIC offloading, not sure if it was the cause, many a coincidence. Thanks for your help.

mritto commented 3 years ago

Hi Pevma,

I was using the new SELKS6 in ids mode.

After I'd decide to change to ips mode (I followed all steps from https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS) I got this same issue (RED Suricata)

Could you please help me?

systemctl status suricata● suricata.service - LSB: Next Generation IDS/IPS

Loaded: loaded (/etc/init.d/suricata; generated) Active: active (exited) since Thu 2021-03-18 11:27:38 PDT; 7s ago Docs: man:systemd-sysv-generator(8) Process: 2031 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)

Mar 18 11:27:38 svips01 systemd[1]: Stopped LSB: Next Generation IDS/IPS. Mar 18 11:27:38 svips01 systemd[1]: Starting LSB: Next Generation IDS/IPS... Mar 18 11:27:38 svips01 suricata[2031]: Starting suricata in IDS (af-packet) mode... done. Mar 18 11:27:38 svips01 systemd[1]: Started LSB: Next Generation IDS/IPS.

about this output /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -v --user=logstash

I got it: [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Including configuration file /etc/suricata/selks6-addin.yaml. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'default-rule-path' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'rule-files' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'classification-file' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'reference-config-file' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'detect' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'default-log-dir' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'stats' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'outputs' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'logging' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'app-layer' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'asn1-max-frames' redefined. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Including configuration file /etc/suricata/selks6-interfaces-config.yaml. [2051] 18/3/2021 -- 11:29:39 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'af-packet' redefined. [2051] 18/3/2021 -- 11:29:39 - (suricata.c:1063) (LogVersion) -- This is Suricata version 7.0.0-dev (e96464308 2021-02-28) running in SYSTEM mode [2051] 18/3/2021 -- 11:29:39 - (util-cpu.c:178) (UtilCpuPrintSummary) -- CPUs/cores online: 16 [2051] 18/3/2021 -- 11:29:39 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno1' [2051] 18/3/2021 -- 11:29:39 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno1' [2051] 18/3/2021 -- 11:29:39 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno2' [2051] 18/3/2021 -- 11:29:39 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno2' [2051] 18/3/2021 -- 11:29:39 - (util-pidfile.c:133) (SCPidfileTestRunning) -- [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!

I did these steps: rm /var/run/suricata.pid systemctl restart suricata

And it came up for about a minute then stopped working again (RED suricata).

And also I tried the last different way.

and I got that:

[2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Including configuration file /etc/suricata/selks6-addin.yaml. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'default-rule-path' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'rule-files' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'classification-file' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'reference-config-file' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'detect' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'default-log-dir' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'stats' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'outputs' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'logging' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'app-layer' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'asn1-max-frames' redefined. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:265) (ConfYamlParse) -- Including configuration file /etc/suricata/selks6-interfaces-config.yaml. [2119] 18/3/2021 -- 11:33:32 - (conf-yaml-loader.c:289) (ConfYamlParse) -- Configuration node 'af-packet' redefined. [2119] 18/3/2021 -- 11:33:32 - (suricata.c:1063) (LogVersion) -- This is Suricata version 7.0.0-dev (e96464308 2021-02-28) running in SYSTEM mode [2119] 18/3/2021 -- 11:33:32 - (util-cpu.c:178) (UtilCpuPrintSummary) -- CPUs/cores online: 16 [2119] 18/3/2021 -- 11:33:32 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno1' [2119] 18/3/2021 -- 11:33:32 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno1' [2119] 18/3/2021 -- 11:33:32 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno2' [2119] 18/3/2021 -- 11:33:32 - (util-ioctl.c:112) (GetIfaceMTU) -- Found an MTU of 1500 for 'eno2' [2119] 18/3/2021 -- 11:33:32 - (suricata.c:2358) (PostDeviceFinalizedSetup) -- AF_PACKET: Setting IPS mode [2119] 18/3/2021 -- 11:33:32 - (util-privs.c:92) (SCDropMainThreadCaps) -- dropped the caps for main thread [2119] 18/3/2021 -- 11:33:32 - (util-logopenfile.c:597) (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json [2119] 18/3/2021 -- 11:33:32 - (output-json-email-common.c:427) (OutputEmailInitConf) -- Going to log the md5 sum of email body [2119] 18/3/2021 -- 11:33:32 - (output-json-email-common.c:431) (OutputEmailInitConf) -- Going to log the md5 sum of email subject [2119] 18/3/2021 -- 11:33:32 - (output-json-dnp3.c:299) (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized. [2119] 18/3/2021 -- 11:33:32 - (output-json-dnp3.c:299) (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized. [2119] 18/3/2021 -- 11:33:32 - (log-pcap.c:1309) (PcapLogInitCtx) -- Using log dir /data/nsm/ [2119] 18/3/2021 -- 11:33:32 - (log-pcap.c:1420) (PcapLogInitCtx) -- Selected pcap-log compression method: none [2119] 18/3/2021 -- 11:33:32 - (log-pcap.c:1429) (PcapLogInitCtx) -- using multi logging [2119] 18/3/2021 -- 11:33:32 - (util-logopenfile.c:597) (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [2119] 18/3/2021 -- 11:33:32 - (util-conf.c:161) (ConfUnixSocketIsEnable) -- Running in live mode, activating unix socket [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_request_line [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_client_body [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_response_line [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dns_query [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.sni [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_issuer [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_subject [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_serial [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.certs [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.hash [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.string [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.hash [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.string [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_named_pipe [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_share [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.string [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server.string [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_cname [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_sname [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.uri [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.stat_msg [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.request_line [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.response_line [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for rfb.name [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.clientid [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.username [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.password [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willtopic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willmessage [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.topic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.message [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.subscribe.topic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:249) (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.unsubscribe.topic [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:417) (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv4.hdr [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:417) (DetectMpmInitializePktMpms) -- using shared mpm ctx' for tcp.hdr [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:417) (DetectMpmInitializePktMpms) -- using shared mpm ctx' for udp.hdr [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:417) (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv6.hdr [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:417) (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv4.hdr [2119] 18/3/2021 -- 11:33:32 - (detect-engine-mpm.c:417) (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv6.hdr [2119] 18/3/2021 -- 11:33:32 - (reputation.c:636) (SRepInit) -- Loading reputation file: /etc/suricata/rules/scirius-iprep.list [2119] 18/3/2021 -- 11:33:32 - (host.c:299) (HostPrintStats) -- host memory usage: 2623240 bytes, maximum: 33554432 [2119] 18/3/2021 -- 11:33:37 - (detect-engine-loader.c:355) (SigLoadSignatures) -- 1 rule files processed. 24348 rules successfully loaded, 0 rules failed [2119] 18/3/2021 -- 11:33:37 - (util-threshold-config.c:1091) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [2119] 18/3/2021 -- 11:33:38 - (detect-engine-mpm.c:474) (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet [2119] 18/3/2021 -- 11:33:38 - (detect-engine-mpm.c:474) (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream [2119] 18/3/2021 -- 11:33:38 - (detect-engine-mpm.c:474) (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet [2119] 18/3/2021 -- 11:33:38 - (detect-engine-mpm.c:474) (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip [2119] 18/3/2021 -- 11:33:38 - (detect-engine-build.c:1420) (SigAddressPrepareStage1) -- 24351 signatures processed. 9 are IP-only rules, 4023 are inspecting packet payload, 20272 inspect application layer, 0 are decoder event only [2119] 18/3/2021 -- 11:33:38 - (detect-flowbits.c:590) (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Hancitor' is checked but not set. Checked in 2024605 and 0 other sigs [2119] 18/3/2021 -- 11:33:38 - (detect-engine-build.c:1263) (RulesGroupByPorts) -- TCP toserver: 76 port groups, 59 unique SGH's, 17 copies [2119] 18/3/2021 -- 11:33:38 - (detect-engine-build.c:1263) (RulesGroupByPorts) -- TCP toclient: 76 port groups, 45 unique SGH's, 31 copies [2119] 18/3/2021 -- 11:33:38 - (detect-engine-build.c:1263) (RulesGroupByPorts) -- UDP toserver: 76 port groups, 49 unique SGH's, 27 copies [2119] 18/3/2021 -- 11:33:38 - (detect-engine-build.c:1263) (RulesGroupByPorts) -- UDP toclient: 49 port groups, 27 unique SGH's, 22 copies [2119] 18/3/2021 -- 11:33:38 - (detect-engine-build.c:1009) (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies [2119] 18/3/2021 -- 11:33:38 - (detect-engine-build.c:1046) (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies [2119] 18/3/2021 -- 11:33:51 - (detect-engine-build.c:1790) (SigAddressPrepareStage4) -- Unique rule groups: 183 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1156) (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 34 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1156) (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 30 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1156) (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 31 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1156) (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 36 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1156) (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 49 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1156) (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 26 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1156) (MpmStoreReportStats) -- Builtin MPM "other IP packet": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri (http)": 13 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri (http2)": 13 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri (http2)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_request_line (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_client_body (http)": 5 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_response_line (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_header (http)": 6 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_header (http)": 6 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_header_names (http)": 3 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_header_names (http)": 3 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept_enc (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_referer (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_connection (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_len (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_len (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_type (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_type (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http.server (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http.location (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_protocol (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_protocol (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_start (http)": 4 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_start (http)": 4 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_header (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_raw_header (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_method (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_cookie (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_cookie (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent (http)": 6 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent (http2)": 6 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_host (http)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver http_host (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient http_stat_code (http)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query (dns)": 4 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query (dns)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver tls.sni (tls)": 3 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver tls.sni (tls)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_issuer (tls)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_subject (tls)": 2 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_serial (tls)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_fingerprint (tls)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver ja3.hash (tls)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient ja3s.hash (tls)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver ssh.proto (ssh)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient ssh.proto (ssh)": 1 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smtp)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (http)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (smb)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (smb)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (http2)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (http2)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (ftp-data)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (ftp-data)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toserver file_data (ftp)": 7 [2119] 18/3/2021 -- 11:33:51 - (detect-engine-mpm.c:1164) (MpmStoreReportStats) -- AppLayer MPM "toclient file_data (ftp)": 7 [2119] 18/3/2021 -- 11:33:59 - (runmode-af-packet.c:278) (ParseAFPConfig) -- AF_PACKET IPS mode activated eno1->eno1. [2119] 18/3/2021 -- 11:33:59 - (runmode-af-packet.c:639) (ParseAFPConfig) -- 16 cores, so using 16 threads [2119] 18/3/2021 -- 11:33:59 - (runmode-af-packet.c:652) (ParseAFPConfig) -- Using 16 AF_PACKET threads for interface eno1 [2119] 18/3/2021 -- 11:33:59 - (util-runmodes.c:264) (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s) [2122] 18/3/2021 -- 11:33:59 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2122] 18/3/2021 -- 11:33:59 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 9 files. [2123] 18/3/2021 -- 11:33:59 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2123] 18/3/2021 -- 11:33:59 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2124] 18/3/2021 -- 11:33:59 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2124] 18/3/2021 -- 11:33:59 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2125] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2125] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2126] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2126] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2127] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2127] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2128] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2128] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 4 files. [2129] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2129] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2130] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2130] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 5 files. [2131] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2131] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2132] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2132] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2133] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2133] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2134] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2134] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 6 files. [2135] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2135] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2136] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2136] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files. [2137] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2137] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 8 files. [2119] 18/3/2021 -- 11:34:00 - (runmode-af-packet.c:278) (ParseAFPConfig) -- AF_PACKET IPS mode activated eno2->eno2. [2119] 18/3/2021 -- 11:34:00 - (runmode-af-packet.c:639) (ParseAFPConfig) -- 16 cores, so using 16 threads [2119] 18/3/2021 -- 11:34:00 - (runmode-af-packet.c:652) (ParseAFPConfig) -- Using 16 AF_PACKET threads for interface eno2 [2119] 18/3/2021 -- 11:34:00 - (util-runmodes.c:264) (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 16 thread(s) [2138] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2138] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2139] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2139] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2140] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2140] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 18 files. [2141] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2141] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2142] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2142] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2143] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2143] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2144] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2144] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2145] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2145] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2146] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2146] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2147] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2147] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2148] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2148] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2149] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2149] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2150] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2150] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2151] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2151] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2152] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2152] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2153] 18/3/2021 -- 11:34:00 - (log-pcap.c:761) (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap. [2153] 18/3/2021 -- 11:34:00 - (log-pcap.c:902) (PcapLogInitRingBuffer) -- Ring buffer initialized with 19 files. [2119] 18/3/2021 -- 11:34:00 - (source-af-packet.c:423) (AFPPeersListCheck) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Threads number not equals [2119] 18/3/2021 -- 11:34:00 - (runmode-af-packet.c:914) (RunModeIdsAFPWorkers) -- [ERRCODE: SC_ERR_FATAL(171)] - Some IPS capture threads did not peer.

pevma commented 3 years ago

Only one suricata running ?

mritto commented 3 years ago

Sorry Pevma!

My mistake!

my issue was on /etc/suricata/selks6-interfaces-config.yaml

on eno1 I didn't make direction to eno2 (copy-iface:eno2)