-----Original Message-----
From: Stuart Henderson <stu@spacehopper.org>
Sent: Wednesday, April 6, 2022 3:07 AM
To: George Pontis <gpontis@z9.com>
Cc: bugs@openbsd.org; ports@openbsd.org
Subject: Re: path error in suricata package
Moving to ports@openbsd.org, please reply there
On 2022/04/05 10:31, George Pontis wrote:
>> OpenBSD 7.0 release for amd64
>>
>> After installing the suricata 6.0.2 package, the readme provides
>> guidance for using suricata-update as follows:
>>
>> *****
>>
>> suricata-update
>> ---------------
>> suricata-update is the recommended way to install and update rules.
>> By default it will download the new rules into /var/suricata/rules
>>
>> Edit /etc/suricata/suricata.yaml and replace the existing
>> default-rule-path and rule-files sections with this:
>>
>> default-rule-path: /var/suricata/rules/
>> rule-files:
>> - suricata.rules
>>
>> *****
>>
>> However, suricata-update is actually coded to put the rules under
>> /var/lib/suricata/rules, so the running instance does not see the
>> rules and bombs out in a flood of errors
>>
>
> Can you show some more information and the actual error messages?
> As far as I can see suricata-update is patched in the port to use the
location directly under /var (VARBASE).
>
>
https://github.com/openbsd/ports/blob/master/security/suricata/patches/patch
-suricata-update_suricata_update_config_py
>
https://github.com/openbsd/ports/blob/master/security/suricata/patches/patch
-suricata-update_suricata_update_parsers_py
Is it possible that this patch is more recent than the 6.0.2p0 version
included in the OpenBSD 7.0 amd64 packages ? I gave up and uninstalled
the package, but from the remaining logs in /var/log/messages, I can report
the following.
Here's what was logged to /var/log/messages with the data directory set for
/var/suricata/... and after running suricata-update.
I might add that as soon as suricata-update starts, one of the first few
lines of output show that it is using data directory /var/lib/suricata and
not /var/suricata.
Apr 5 09:45:08 Lucky69 suricata: [5625] <Notice> -- This is Suricata
version 6.0.2 RELEASE running in SYSTEM mode
Apr 5 09:45:08 Lucky69 suricata: [92381] <Warning> -- [ERRCODE:
SC_ERR_NO_RULES(42)] - No rule files match the pattern /
var/suricata/rules/suricata.rules
Apr 5 09:45:08 Lucky69 suricata: [92381] <Warning> -- [ERRCODE:
SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, bu
t no rules were loaded!
After changing to "default-rule-path: /var/lib/suricata/rules/", it starts
up normally:
Apr 5 16:56:54 Lucky69 suricata: [9231] <Notice> -- This is Suricata
version 6.0.2 RELEASE running in SYSTEM mode
Apr 5 16:57:49 Lucky69 suricata: [9231] <Notice> -- all 5 packet processing
threads, 4 management threads initialized, engine started.
It would have been an easy workaround to just let it use rules under
/var/lib/suricata, but the program always quits later with "Abort trap". I
ran it from the command line
and logged this output:
/var/log/suricata >> suricata -vvv -c /etc/suricata/suricata.yaml -i vlan13
5/4/2022 -- 17:15:20 - <Notice> - This is Suricata version 6.0.2 RELEASE
running in SYSTEM mode
5/4/2022 -- 17:15:20 - <Info> - CPUs/cores online: 4
5/4/2022 -- 17:15:20 - <Config> - 'default' server has
'request-body-minimal-inspect-size' set to 34109 and
'request-body-inspect-window' set to 4140 after randomization.
5/4/2022 -- 17:15:20 - <Config> - 'default' server has
'response-body-minimal-inspect-size' set to 41863 and
'response-body-inspect-window' set to 16189 after randomization.
5/4/2022 -- 17:15:20 - <Config> - SMB stream depth: 0
5/4/2022 -- 17:15:20 - <Config> - Protocol detection and parser disabled for
modbus protocol.
5/4/2022 -- 17:15:20 - <Config> - Protocol detection and parser disabled for
enip protocol.
5/4/2022 -- 17:15:20 - <Config> - Protocol detection and parser disabled for
DNP3.
5/4/2022 -- 17:15:20 - <Info> - Found an MTU of 1500 for 'vlan13'
5/4/2022 -- 17:15:20 - <Info> - Found an MTU of 1500 for 'vlan13'
5/4/2022 -- 17:15:20 - <Config> - PCRE won't use JIT as OS doesn't allow RWX
pages
5/4/2022 -- 17:15:20 - <Config> - allocated 262144 bytes of memory for the
host hash... 4096 buckets of size 64
5/4/2022 -- 17:15:20 - <Config> - preallocated 1000 hosts of size 104
5/4/2022 -- 17:15:20 - <Config> - host memory usage: 366144 bytes, maximum:
33554432
5/4/2022 -- 17:15:20 - <Config> - Core dump size is unlimited.
5/4/2022 -- 17:15:20 - <Config> - allocated 1572864 bytes of memory for the
defrag hash... 65536 buckets of size 24
5/4/2022 -- 17:15:20 - <Config> - preallocated 65535 defrag trackers of size
128
5/4/2022 -- 17:15:20 - <Config> - defrag memory usage: 9961344 bytes,
maximum: 33554432
5/4/2022 -- 17:15:20 - <Config> - flow size 288, memcap allows for 466033
flows. Per hash row in perfect conditions 7
5/4/2022 -- 17:15:20 - <Config> - stream "prealloc-sessions": 2048 (per
thread)
5/4/2022 -- 17:15:20 - <Config> - stream "memcap": 67108864
5/4/2022 -- 17:15:20 - <Config> - stream "midstream" session pickups:
disabled
5/4/2022 -- 17:15:20 - <Config> - stream "async-oneside": disabled
5/4/2022 -- 17:15:20 - <Config> - stream "checksum-validation": enabled
5/4/2022 -- 17:15:20 - <Config> - stream."inline": disabled
5/4/2022 -- 17:15:20 - <Config> - stream "bypass": disabled
5/4/2022 -- 17:15:20 - <Config> - stream "max-synack-queued": 5
5/4/2022 -- 17:15:20 - <Config> - stream.reassembly "memcap": 268435456
5/4/2022 -- 17:15:20 - <Config> - stream.reassembly "depth": 1048576
5/4/2022 -- 17:15:20 - <Config> - stream.reassembly "toserver-chunk-size":
2472
5/4/2022 -- 17:15:20 - <Config> - stream.reassembly "toclient-chunk-size":
2554
5/4/2022 -- 17:15:20 - <Config> - stream.reassembly.raw: enabled
5/4/2022 -- 17:15:20 - <Config> - stream.reassembly "segment-prealloc": 2048
5/4/2022 -- 17:15:20 - <Info> - fast output device (regular) initialized:
fast.log
5/4/2022 -- 17:15:20 - <Info> - eve-log output device (regular) initialized:
eve.json
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'alert'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'anomaly'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'http'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'dns'
5/4/2022 -- 17:15:20 - <Config> - eve-log dns version not set, defaulting to
version 2
5/4/2022 -- 17:15:20 - <Config> - eve-log dns version not set, defaulting to
version 2
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'tls'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'files'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'smtp'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'ftp'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'rdp'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'nfs'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'smb'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'tftp'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'ikev2'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'dcerpc'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'krb5'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'snmp'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'rfb'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'sip'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'dhcp'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'ssh'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'mqtt'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'stats'
5/4/2022 -- 17:15:20 - <Config> - enabling 'eve-log' module 'flow'
5/4/2022 -- 17:15:20 - <Info> - stats output device (regular) initialized:
stats.log
5/4/2022 -- 17:15:20 - <Config> - Delayed detect disabled
5/4/2022 -- 17:15:20 - <Info> - Running in live mode, activating unix socket
5/4/2022 -- 17:15:20 - <Config> - pattern matchers: MPM: ac, SPM: bm
5/4/2022 -- 17:15:20 - <Config> - grouping: tcp-whitelist (default) 53, 80,
139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
5/4/2022 -- 17:15:20 - <Config> - grouping: udp-whitelist (default) 53, 135,
5060
5/4/2022 -- 17:15:20 - <Config> - prefilter engines: MPM
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_uri
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_raw_uri
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_request_line
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_client_body
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_response_line
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_header
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_header
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_header_names
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_header_names
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_accept
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_accept_enc
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_accept_lang
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_referer
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_connection
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_content_len
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_content_len
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_content_type
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_content_type
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http.server
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http.location
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_protocol
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_protocol
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_start
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_start
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_raw_header
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_raw_header
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_method
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_cookie
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_cookie
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file.magic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_user_agent
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_host
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_raw_host
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_stat_msg
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http_stat_code
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http2_header_name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http2_header_name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http2_header
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for http2_header
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for dns_query
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for dnp3_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for dnp3_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for tls.sni
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for tls.cert_issuer
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for tls.cert_subject
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for tls.cert_serial
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
tls.cert_fingerprint
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for tls.certs
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ja3.hash
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ja3.string
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ja3s.hash
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ja3s.string
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for dce_stub_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for dce_stub_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for dce_stub_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for dce_stub_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for smb_named_pipe
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for smb_share
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ssh.proto
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ssh.proto
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ssh_software
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ssh_software
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ssh.hassh
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ssh.hassh.server
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ssh.hassh.string
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
ssh.hassh.server.string
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for file_data
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for krb5_cname
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for krb5_sname
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.method
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.uri
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.protocol
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.protocol
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.method
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.stat_msg
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.request_line
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for sip.response_line
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for rfb.name
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for snmp.community
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for snmp.community
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.connect.clientid
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.connect.username
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.connect.password
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.connect.willtopic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.connect.willmessage
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for mqtt.publish.topic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.publish.message
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.subscribe.topic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for
mqtt.unsubscribe.topic
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for icmpv4.hdr
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for tcp.hdr
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for udp.hdr
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for icmpv6.hdr
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ipv4.hdr
5/4/2022 -- 17:15:20 - <Perf> - using shared mpm ctx' for ipv6.hdr
5/4/2022 -- 17:15:20 - <Config> - IP reputation disabled
5/4/2022 -- 17:15:20 - <Config> - Loading rule file:
/var/lib/suricata/rules/suricata.rules
5/4/2022 -- 17:15:24 - <Info> - 1 rule files processed. 25186 rules
successfully loaded, 0 rules failed
5/4/2022 -- 17:15:25 - <Info> - Threshold config parsed: 0 rule(s) found
5/4/2022 -- 17:15:26 - <Perf> - using shared mpm ctx' for tcp-packet
5/4/2022 -- 17:15:26 - <Perf> - using shared mpm ctx' for tcp-stream
5/4/2022 -- 17:15:26 - <Perf> - using shared mpm ctx' for udp-packet
5/4/2022 -- 17:15:26 - <Perf> - using shared mpm ctx' for other-ip
5/4/2022 -- 17:15:26 - <Info> - 25189 signatures processed. 1262 are IP-only
rules, 4093 are inspecting packet payload, 19634 inspect application layer,
105 are decoder event only
5/4/2022 -- 17:15:26 - <Config> - building signature grouping structure,
stage 1: preprocessing rules... complete
5/4/2022 -- 17:15:26 - <Perf> - TCP toserver: 41 port groups, 40 unique
SGH's, 1 copies
5/4/2022 -- 17:15:26 - <Perf> - TCP toclient: 21 port groups, 21 unique
SGH's, 0 copies
5/4/2022 -- 17:15:26 - <Perf> - UDP toserver: 41 port groups, 38 unique
SGH's, 3 copies
5/4/2022 -- 17:15:26 - <Perf> - UDP toclient: 21 port groups, 17 unique
SGH's, 4 copies
5/4/2022 -- 17:15:26 - <Perf> - OTHER toserver: 254 proto groups, 3 unique
SGH's, 251 copies
5/4/2022 -- 17:15:26 - <Perf> - OTHER toclient: 254 proto groups, 0 unique
SGH's, 254 copies
5/4/2022 -- 17:16:11 - <Perf> - Unique rule groups: 119
5/4/2022 -- 17:16:11 - <Perf> - Builtin MPM "toserver TCP packet": 28
5/4/2022 -- 17:16:11 - <Perf> - Builtin MPM "toclient TCP packet": 19
5/4/2022 -- 17:16:11 - <Perf> - Builtin MPM "toserver TCP stream": 31
5/4/2022 -- 17:16:11 - <Perf> - Builtin MPM "toclient TCP stream": 19
5/4/2022 -- 17:16:11 - <Perf> - Builtin MPM "toserver UDP packet": 38
5/4/2022 -- 17:16:11 - <Perf> - Builtin MPM "toclient UDP packet": 16
5/4/2022 -- 17:16:11 - <Perf> - Builtin MPM "other IP packet": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_uri (http)": 8
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_raw_uri (http)":
1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_request_line
(http)": 4
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_client_body
(http)": 7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_response_line
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_header (http)":
7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_header (http)":
7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_header_names
(http)": 5
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_header_names
(http)": 5
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_accept (http)":
3
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_accept_enc
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_accept_lang
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_referer (http)":
1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_connection
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_content_len
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_content_len
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_content_type
(http)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_content_type
(http)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http.server (http)":
2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http.location
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_protocol
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_protocol
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_start (http)": 6
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_start (http)": 6
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_raw_header
(http)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_raw_header
(http)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_method (http)":
2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_cookie (http)":
3
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_cookie (http)":
3
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_user_agent
(http)": 6
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_host (http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_host (http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver http_raw_host
(http)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient http_stat_code
(http)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver dns_query (dns)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver dns_query (dns)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver tls.sni (tls)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver tls.sni (tls)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient tls.cert_issuer
(tls)": 5
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient tls.cert_subject
(tls)": 4
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient tls.cert_serial
(tls)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient tls.cert_fingerprint
(tls)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient tls.certs (tls)": 3
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver ja3.hash (tls)": 2
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient ja3s.hash (tls)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver ssh.proto (ssh)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient ssh.proto (ssh)": 1
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver file_data (smtp)": 7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient file_data (http)": 7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver file_data (smb)": 7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient file_data (smb)": 7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toserver file_data (http2)": 7
5/4/2022 -- 17:16:11 - <Perf> - AppLayer MPM "toclient file_data (http2)": 7
5/4/2022 -- 17:16:15 - <Config> - AutoFP mode using "Hash" flow load
balancer
5/4/2022 -- 17:16:15 - <Info> - Using 1 live device(s).
5/4/2022 -- 17:16:15 - <Info> - using interface vlan13
5/4/2022 -- 17:16:15 - <Info> - running in 'auto' checksum mode. Detection
of interface state will require 1000ULL packets
5/4/2022 -- 17:16:15 - <Info> - Found an MTU of 1500 for 'vlan13'
5/4/2022 -- 17:16:15 - <Info> - Set snaplen to 1524 for 'vlan13'
5/4/2022 -- 17:16:15 - <Info> - RunModeIdsPcapAutoFp initialised
5/4/2022 -- 17:16:15 - <Config> - using 1 flow manager threads
5/4/2022 -- 17:16:15 - <Config> - using 1 flow recycler threads
5/4/2022 -- 17:16:15 - <Info> - Running in live mode, activating unix socket
5/4/2022 -- 17:16:15 - <Info> - Using unix socket file
'/var/run/suricata/suricata-command.socket'
5/4/2022 -- 17:16:15 - <Notice> - all 5 packet processing threads, 4
management threads initialized, engine started.
5/4/2022 -- 17:16:37 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
Abort trap
No comments:
Post a Comment