|
# suricata --pcap=igb0 -vvvv
|
|
1/7/2021 -- 10:34:04 - <Notice> - This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
|
|
1/7/2021 -- 10:34:04 - <Info> - CPUs/cores online: 12
|
|
1/7/2021 -- 10:34:04 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33553 and 'request-body-inspect-window' set to 4066 after randomization.
|
|
1/7/2021 -- 10:34:04 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 41964 and 'response-body-inspect-window' set to 16108 after randomization.
|
|
1/7/2021 -- 10:34:04 - <Config> - SMB stream depth: 0
|
|
1/7/2021 -- 10:34:04 - <Config> - Protocol detection and parser disabled for modbus protocol.
|
|
1/7/2021 -- 10:34:04 - <Config> - Protocol detection and parser disabled for enip protocol.
|
|
1/7/2021 -- 10:34:04 - <Config> - Protocol detection and parser disabled for DNP3.
|
|
1/7/2021 -- 10:34:04 - <Info> - Found an MTU of 1500 for 'igb0'
|
|
1/7/2021 -- 10:34:04 - <Info> - Found an MTU of 1500 for 'igb0'
|
|
1/7/2021 -- 10:34:04 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
|
|
1/7/2021 -- 10:34:04 - <Config> - preallocated 1000 hosts of size 104
|
|
1/7/2021 -- 10:34:04 - <Config> - host memory usage: 366144 bytes, maximum: 33554432
|
|
1/7/2021 -- 10:34:04 - <Config> - Core dump size is unlimited.
|
|
1/7/2021 -- 10:34:04 - <Config> - allocated 1572864 bytes of memory for the defrag hash... 65536 buckets of size 24
|
|
1/7/2021 -- 10:34:04 - <Config> - preallocated 65535 defrag trackers of size 128
|
|
1/7/2021 -- 10:34:04 - <Config> - defrag memory usage: 9961344 bytes, maximum: 33554432
|
|
1/7/2021 -- 10:34:04 - <Config> - flow size 288, memcap allows for 466033 flows. Per hash row in perfect conditions 7
|
|
1/7/2021 -- 10:34:04 - <Config> - stream "prealloc-sessions": 2048 (per thread)
|
|
1/7/2021 -- 10:34:04 - <Config> - stream "memcap": 67108864
|
|
1/7/2021 -- 10:34:04 - <Config> - stream "midstream" session pickups: disabled
|
|
1/7/2021 -- 10:34:04 - <Config> - stream "async-oneside": disabled
|
|
1/7/2021 -- 10:34:04 - <Config> - stream "checksum-validation": enabled
|
|
1/7/2021 -- 10:34:04 - <Config> - stream."inline": disabled
|
|
1/7/2021 -- 10:34:04 - <Config> - stream "bypass": disabled
|
|
1/7/2021 -- 10:34:04 - <Config> - stream "max-synack-queued": 5
|
|
1/7/2021 -- 10:34:04 - <Config> - stream.reassembly "memcap": 268435456
|
|
1/7/2021 -- 10:34:04 - <Config> - stream.reassembly "depth": 1048576
|
|
1/7/2021 -- 10:34:04 - <Config> - stream.reassembly "toserver-chunk-size": 2669
|
|
1/7/2021 -- 10:34:04 - <Config> - stream.reassembly "toclient-chunk-size": 2625
|
|
1/7/2021 -- 10:34:04 - <Config> - stream.reassembly.raw: enabled
|
|
1/7/2021 -- 10:34:04 - <Config> - stream.reassembly "segment-prealloc": 2048
|
|
1/7/2021 -- 10:34:04 - <Info> - fast output device (regular) initialized: fast.log
|
|
1/7/2021 -- 10:34:04 - <Info> - eve-log output device (regular) initialized: eve.json
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'alert'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'anomaly'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'http'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'dns'
|
|
1/7/2021 -- 10:34:04 - <Config> - eve-log dns version not set, defaulting to version 2
|
|
1/7/2021 -- 10:34:04 - <Config> - eve-log dns version not set, defaulting to version 2
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'tls'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'files'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'smtp'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'ftp'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'rdp'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'nfs'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'smb'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'tftp'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'ikev2'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'dcerpc'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'krb5'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'snmp'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'rfb'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'sip'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'dhcp'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'ssh'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'mqtt'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'stats'
|
|
1/7/2021 -- 10:34:04 - <Config> - enabling 'eve-log' module 'flow'
|
|
1/7/2021 -- 10:34:04 - <Info> - stats output device (regular) initialized: stats.log
|
|
1/7/2021 -- 10:34:04 - <Config> - Delayed detect disabled
|
|
1/7/2021 -- 10:34:04 - <Info> - Running in live mode, activating unix socket
|
|
1/7/2021 -- 10:34:04 - <Config> - pattern matchers: MPM: ac, SPM: bm
|
|
1/7/2021 -- 10:34:04 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
|
|
1/7/2021 -- 10:34:04 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
|
|
1/7/2021 -- 10:34:04 - <Config> - prefilter engines: MPM
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_uri
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_raw_uri
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_request_line
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_client_body
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_response_line
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_header
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_header
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_header_names
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_header_names
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_accept
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_accept_enc
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_accept_lang
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_referer
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_connection
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_content_len
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_content_len
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_content_type
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_content_type
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http.server
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http.location
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_protocol
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_protocol
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_start
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_start
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_raw_header
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_raw_header
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_method
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_cookie
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_cookie
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file.magic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_user_agent
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_host
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_raw_host
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_stat_msg
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http_stat_code
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http2_header_name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http2_header_name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http2_header
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for http2_header
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for dns_query
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for dnp3_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for dnp3_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for tls.sni
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for tls.cert_issuer
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for tls.cert_subject
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for tls.cert_serial
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for tls.cert_fingerprint
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for tls.certs
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ja3.hash
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ja3.string
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ja3s.hash
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ja3s.string
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for dce_stub_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for dce_stub_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for dce_stub_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for dce_stub_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for smb_named_pipe
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for smb_share
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh.proto
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh.proto
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh_software
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh_software
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh.hassh
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh.hassh.server
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh.hassh.string
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ssh.hassh.server.string
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for file_data
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for krb5_cname
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for krb5_sname
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.method
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.uri
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.protocol
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.protocol
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.method
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.stat_msg
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.request_line
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for sip.response_line
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for rfb.name
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for snmp.community
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for snmp.community
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.connect.clientid
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.connect.username
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.connect.password
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.connect.willtopic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.connect.willmessage
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.publish.topic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.publish.message
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.subscribe.topic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for mqtt.unsubscribe.topic
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for icmpv4.hdr
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for tcp.hdr
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for udp.hdr
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for icmpv6.hdr
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ipv4.hdr
|
|
1/7/2021 -- 10:34:04 - <Perf> - using shared mpm ctx' for ipv6.hdr
|
|
1/7/2021 -- 10:34:04 - <Config> - IP reputation disabled
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/3coresec.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/botcc.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/ciarmy.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/compromised.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - No rules loaded from compromised.rules.
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/drop.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/dshield.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-attack_response.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-chat.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-current_events.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-dns.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-dos.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-exploit.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-imap.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-malware.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-misc.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-mobile_malware.rules
|
|
1/7/2021 -- 10:34:04 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-netbios.rules
|
|
1/7/2021 -- 10:34:05 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-policy.rules
|
|
1/7/2021 -- 10:34:05 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-pop3.rules
|
|
1/7/2021 -- 10:34:05 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-rpc.rules
|
|
1/7/2021 -- 10:34:05 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-scan.rules
|
|
1/7/2021 -- 10:34:05 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-shellcode.rules
|
|
1/7/2021 -- 10:34:05 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-smtp.rules
|
|
1/7/2021 -- 10:34:05 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-trojan.rules
|
|
1/7/2021 -- 10:34:06 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-user_agents.rules
|
|
1/7/2021 -- 10:34:06 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-voip.rules
|
|
1/7/2021 -- 10:34:06 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-web_client.rules
|
|
1/7/2021 -- 10:34:06 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-web_server.rules
|
|
1/7/2021 -- 10:34:06 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-web_specific_apps.rules
|
|
1/7/2021 -- 10:34:07 - <Config> - Loading rule file: /var/lib/suricata/rules/emerging-worm.rules
|
|
1/7/2021 -- 10:34:07 - <Config> - Loading rule file: /var/lib/suricata/rules/tor.rules
|
|
1/7/2021 -- 10:34:07 - <Config> - Loading rule file: /var/lib/suricata/rules/custom.rules
|
|
1/7/2021 -- 10:34:07 - <Config> - No rules loaded from custom.rules.
|
|
1/7/2021 -- 10:34:07 - <Info> - 32 rule files processed. 20590 rules successfully loaded, 0 rules failed
|
|
1/7/2021 -- 10:34:07 - <Info> - Threshold config parsed: 2 rule(s) found
|
|
1/7/2021 -- 10:34:07 - <Perf> - using shared mpm ctx' for tcp-packet
|
|
1/7/2021 -- 10:34:07 - <Perf> - using shared mpm ctx' for tcp-stream
|
|
1/7/2021 -- 10:34:07 - <Perf> - using shared mpm ctx' for udp-packet
|
|
1/7/2021 -- 10:34:07 - <Perf> - using shared mpm ctx' for other-ip
|
|
1/7/2021 -- 10:34:07 - <Info> - 20593 signatures processed. 1134 are IP-only rules, 3288 are inspecting packet payload, 16147 inspect application layer, 0 are decoder event only
|
|
1/7/2021 -- 10:34:07 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 4 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 11 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
|
|
1/7/2021 -- 10:34:07 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017247 and 0 other sigs
|
|
1/7/2021 -- 10:34:07 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
|
|
1/7/2021 -- 10:34:07 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
|
|
1/7/2021 -- 10:34:08 - <Perf> - UDP toserver: 41 port groups, 24 unique SGH's, 17 copies
|
|
1/7/2021 -- 10:34:08 - <Perf> - UDP toclient: 21 port groups, 18 unique SGH's, 3 copies
|
|
1/7/2021 -- 10:34:08 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
|
|
1/7/2021 -- 10:34:08 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
|
|
1/7/2021 -- 10:34:17 - <Perf> - Unique rule groups: 106
|
|
1/7/2021 -- 10:34:17 - <Perf> - Builtin MPM "toserver TCP packet": 29
|
|
1/7/2021 -- 10:34:17 - <Perf> - Builtin MPM "toclient TCP packet": 20
|
|
1/7/2021 -- 10:34:17 - <Perf> - Builtin MPM "toserver TCP stream": 29
|
|
1/7/2021 -- 10:34:17 - <Perf> - Builtin MPM "toclient TCP stream": 21
|
|
1/7/2021 -- 10:34:17 - <Perf> - Builtin MPM "toserver UDP packet": 24
|
|
1/7/2021 -- 10:34:17 - <Perf> - Builtin MPM "toclient UDP packet": 18
|
|
1/7/2021 -- 10:34:17 - <Perf> - Builtin MPM "other IP packet": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_uri (http)": 9
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_raw_uri (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_request_line (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_client_body (http)": 6
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_response_line (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_header (http)": 8
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_header (http)": 8
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_header_names (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_header_names (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_accept (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_accept_enc (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_accept_lang (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_referer (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_content_len (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_content_len (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_content_type (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_content_type (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_protocol (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_protocol (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_start (http)": 4
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_start (http)": 4
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_raw_header (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_raw_header (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_method (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_cookie (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_cookie (http)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_user_agent (http)": 5
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver http_host (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient http_stat_code (http)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver dns_query (dns)": 4
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver tls.sni (tls)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient tls.cert_issuer (tls)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient tls.cert_subject (tls)": 2
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient tls.cert_serial (tls)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver ssh.proto (ssh)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient ssh.proto (ssh)": 1
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver file_data (smtp)": 6
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient file_data (http)": 6
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver file_data (smb)": 6
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient file_data (smb)": 6
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toserver file_data (http2)": 6
|
|
1/7/2021 -- 10:34:17 - <Perf> - AppLayer MPM "toclient file_data (http2)": 6
|
|
1/7/2021 -- 10:34:19 - <Config> - AutoFP mode using "Hash" flow load balancer
|
|
1/7/2021 -- 10:34:19 - <Info> - Using 1 live device(s).
|
|
1/7/2021 -- 10:34:19 - <Info> - using interface igb0
|
|
1/7/2021 -- 10:34:19 - <Info> - running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
|
|
1/7/2021 -- 10:34:19 - <Info> - Found an MTU of 1500 for 'igb0'
|
|
1/7/2021 -- 10:34:19 - <Info> - Set snaplen to 1524 for 'igb0'
|
|
1/7/2021 -- 10:34:19 - <Info> - RunModeIdsPcapAutoFp initialised
|
|
1/7/2021 -- 10:34:19 - <Config> - using 1 flow manager threads
|
|
1/7/2021 -- 10:34:19 - <Config> - using 1 flow recycler threads
|
|
1/7/2021 -- 10:34:19 - <Info> - Running in live mode, activating unix socket
|
|
1/7/2021 -- 10:34:19 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
|
|
1/7/2021 -- 10:34:19 - <Notice> - all 13 packet processing threads, 4 management threads initialized, engine started.
|
|
1/7/2021 -- 10:34:36 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
|
|
^C1/7/2021 -- 10:50:25 - <Notice> - Signal Received. Stopping engine.
|
|
1/7/2021 -- 10:50:25 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
|
|
1/7/2021 -- 10:51:26 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "RX#01-igb0". Killing engine
|
|
#
|