suricata -c /home/sdgdb/etc/suricata.yaml --dump-config 2/4/2015 -- 14:10:21 - - [ERRCODE: SC_WARN_DEPRECATED(203)] - prealloc_sessions is deprecated. Please use prealloc-sessions on line 704. 2/4/2015 -- 14:10:21 - - This is Suricata version 2.0.3 RELEASE 2/4/2015 -- 14:10:21 - - CPUs/cores online: 2 max-pending-packets = 1024 runmode = workers pid-file = /var/run/suricataSDGDB.pid daemon-directory = /home/sdgdb default-packet-size = 1532 default-log-dir = /data/suricata unix-command = (null) unix-command.enabled = no outputs = (null) outputs.0 = fast outputs.0.fast = (null) outputs.0.fast.enabled = no outputs.0.fast.filename = fast.log outputs.0.fast.append = yes outputs.1 = eve-log outputs.1.eve-log = (null) outputs.1.eve-log.enabled = no outputs.1.eve-log.type = file outputs.1.eve-log.filename = eve.json outputs.1.eve-log.types = (null) outputs.1.eve-log.types.0 = alert outputs.1.eve-log.types.1 = http outputs.1.eve-log.types.1.http = (null) outputs.1.eve-log.types.1.http.extended = yes outputs.1.eve-log.types.2 = dns outputs.1.eve-log.types.3 = tls outputs.1.eve-log.types.3.tls = (null) outputs.1.eve-log.types.3.tls.extended = yes outputs.1.eve-log.types.4 = files outputs.1.eve-log.types.4.files = (null) outputs.1.eve-log.types.4.files.force-magic = no outputs.1.eve-log.types.4.files.force-md5 = no outputs.1.eve-log.types.5 = ssh outputs.2 = unified2-alert outputs.2.unified2-alert = (null) outputs.2.unified2-alert.enabled = yes outputs.2.unified2-alert.filename = suricata.u2 outputs.2.unified2-alert.limit = 10mb outputs.2.unified2-alert.xff = (null) outputs.2.unified2-alert.xff.enabled = no outputs.2.unified2-alert.xff.mode = extra-data outputs.2.unified2-alert.xff.header = X-Forwarded-For outputs.3 = http-log outputs.3.http-log = (null) outputs.3.http-log.enabled = no outputs.3.http-log.filename = http.log outputs.3.http-log.append = yes outputs.4 = tls-log outputs.4.tls-log = (null) outputs.4.tls-log.enabled = no outputs.4.tls-log.filename = tls.log outputs.4.tls-log.append = yes outputs.4.tls-log.certs-log-dir = certs outputs.5 = dns-log outputs.5.dns-log = (null) outputs.5.dns-log.enabled = no outputs.5.dns-log.filename = dns.log outputs.5.dns-log.append = yes outputs.6 = pcap-info outputs.6.pcap-info = (null) outputs.6.pcap-info.enabled = no outputs.7 = pcap-log outputs.7.pcap-log = (null) outputs.7.pcap-log.enabled = no outputs.7.pcap-log.filename = log.pcap outputs.7.pcap-log.limit = 100mb outputs.7.pcap-log.max-files = 200 outputs.7.pcap-log.mode = normal outputs.7.pcap-log.use-stream-depth = no outputs.8 = alert-debug outputs.8.alert-debug = (null) outputs.8.alert-debug.enabled = no outputs.8.alert-debug.filename = alert-debug.log outputs.8.alert-debug.append = yes outputs.9 = alert-prelude outputs.9.alert-prelude = (null) outputs.9.alert-prelude.enabled = no outputs.9.alert-prelude.profile = suricata outputs.9.alert-prelude.log-packet-content = no outputs.9.alert-prelude.log-packet-header = yes outputs.10 = stats outputs.10.stats = (null) outputs.10.stats.enabled = yes outputs.10.stats.filename = stats.log outputs.10.stats.interval = 3600 outputs.11 = syslog outputs.11.syslog = (null) outputs.11.syslog.enabled = no outputs.11.syslog.facility = local5 outputs.12 = drop outputs.12.drop = (null) outputs.12.drop.enabled = no outputs.12.drop.filename = drop.log outputs.12.drop.append = yes outputs.13 = file-store outputs.13.file-store = (null) outputs.13.file-store.enabled = no outputs.13.file-store.log-dir = files outputs.13.file-store.force-magic = no outputs.13.file-store.force-md5 = no outputs.14 = file-log outputs.14.file-log = (null) outputs.14.file-log.enabled = no outputs.14.file-log.filename = files-json.log outputs.14.file-log.append = yes outputs.14.file-log.force-magic = no outputs.14.file-log.force-md5 = no magic-file = /usr/share/file/magic nfq = nflog = (null) nflog.0 = group nflog.0.group = 2 nflog.0.buffer-size = 18432 nflog.1 = group nflog.1.group = default nflog.1.qthreshold = 1 nflog.1.qtimeout = 100 nflog.1.max-size = 20000 af-packet = (null) af-packet.0 = af-packet.1 = interface af-packet.1.interface = eth3 af-packet.1.threads = 2 af-packet.1.cluster-id = 98 af-packet.1.defrag = yes af-packet.1.use-mmap = yes af-packet.1.cluster-type = cluster_flow af-packet.2 = interface af-packet.2.interface = eth2 af-packet.2.threads = 2 af-packet.2.cluster-id = 99 af-packet.2.defrag = yes af-packet.2.use-mmap = yes af-packet.2.cluster-type = cluster_flow legacy = (null) legacy.uricontent = disabled threshold-file = /home/sdgdb/etc/threshold.config detect-engine = (null) detect-engine.0 = profile detect-engine.0.profile = low detect-engine.1 = custom-values detect-engine.1.custom-values = (null) detect-engine.1.custom-values.toclient-src-groups = 2 detect-engine.1.custom-values.toclient-dst-groups = 2 detect-engine.1.custom-values.toclient-sp-groups = 2 detect-engine.1.custom-values.toclient-dp-groups = 3 detect-engine.1.custom-values.toserver-src-groups = 2 detect-engine.1.custom-values.toserver-dst-groups = 4 detect-engine.1.custom-values.toserver-sp-groups = 2 detect-engine.1.custom-values.toserver-dp-groups = 25 detect-engine.2 = sgh-mpm-context detect-engine.2.sgh-mpm-context = auto detect-engine.3 = inspection-recursion-limit detect-engine.3.inspection-recursion-limit = 3000 detect-engine.4 = rule-reload detect-engine.4.rule-reload = true threading = (null) threading.set-cpu-affinity = no threading.cpu-affinity = (null) threading.cpu-affinity.0 = management-cpu-set threading.cpu-affinity.0.management-cpu-set = (null) threading.cpu-affinity.0.management-cpu-set.cpu = (null) threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0 threading.cpu-affinity.1 = receive-cpu-set threading.cpu-affinity.1.receive-cpu-set = (null) threading.cpu-affinity.1.receive-cpu-set.cpu = (null) threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0 threading.cpu-affinity.2 = decode-cpu-set threading.cpu-affinity.2.decode-cpu-set = (null) threading.cpu-affinity.2.decode-cpu-set.cpu = (null) threading.cpu-affinity.2.decode-cpu-set.cpu.0 = 0 threading.cpu-affinity.2.decode-cpu-set.cpu.1 = 1 threading.cpu-affinity.2.decode-cpu-set.mode = balanced threading.cpu-affinity.3 = stream-cpu-set threading.cpu-affinity.3.stream-cpu-set = (null) threading.cpu-affinity.3.stream-cpu-set.cpu = (null) threading.cpu-affinity.3.stream-cpu-set.cpu.0 = 0-1 threading.cpu-affinity.4 = detect-cpu-set threading.cpu-affinity.4.detect-cpu-set = (null) threading.cpu-affinity.4.detect-cpu-set.cpu = (null) threading.cpu-affinity.4.detect-cpu-set.cpu.0 = all threading.cpu-affinity.4.detect-cpu-set.mode = exclusive threading.cpu-affinity.4.detect-cpu-set.prio = (null) threading.cpu-affinity.4.detect-cpu-set.prio.low = (null) threading.cpu-affinity.4.detect-cpu-set.prio.low.0 = 0 threading.cpu-affinity.4.detect-cpu-set.prio.medium = (null) threading.cpu-affinity.4.detect-cpu-set.prio.medium.0 = 1-2 threading.cpu-affinity.4.detect-cpu-set.prio.high = (null) threading.cpu-affinity.4.detect-cpu-set.prio.high.0 = 3 threading.cpu-affinity.4.detect-cpu-set.prio.default = medium threading.cpu-affinity.5 = verdict-cpu-set threading.cpu-affinity.5.verdict-cpu-set = (null) threading.cpu-affinity.5.verdict-cpu-set.cpu = (null) threading.cpu-affinity.5.verdict-cpu-set.cpu.0 = 0 threading.cpu-affinity.5.verdict-cpu-set.prio = (null) threading.cpu-affinity.5.verdict-cpu-set.prio.default = high threading.cpu-affinity.6 = reject-cpu-set threading.cpu-affinity.6.reject-cpu-set = (null) threading.cpu-affinity.6.reject-cpu-set.cpu = (null) threading.cpu-affinity.6.reject-cpu-set.cpu.0 = 0 threading.cpu-affinity.6.reject-cpu-set.prio = (null) threading.cpu-affinity.6.reject-cpu-set.prio.default = low threading.cpu-affinity.7 = output-cpu-set threading.cpu-affinity.7.output-cpu-set = (null) threading.cpu-affinity.7.output-cpu-set.cpu = (null) threading.cpu-affinity.7.output-cpu-set.cpu.0 = all threading.cpu-affinity.7.output-cpu-set.prio = (null) threading.cpu-affinity.7.output-cpu-set.prio.default = medium threading.detect-thread-ratio = 1.5 cuda = (null) cuda.mpm = (null) cuda.mpm.data-buffer-size-min-limit = 0 cuda.mpm.data-buffer-size-max-limit = 1500 cuda.mpm.cudabuffer-buffer-size = 500mb cuda.mpm.gpu-transfer-size = 50mb cuda.mpm.batching-timeout = 2000 cuda.mpm.device-id = 0 cuda.mpm.cuda-streams = 2 mpm-algo = ac pattern-matcher = (null) pattern-matcher.0 = b2gc pattern-matcher.0.b2gc = (null) pattern-matcher.0.b2gc.search-algo = B2gSearchBNDMq pattern-matcher.0.b2gc.hash-size = low pattern-matcher.0.b2gc.bf-size = medium pattern-matcher.1 = b2gm pattern-matcher.1.b2gm = (null) pattern-matcher.1.b2gm.search-algo = B2gSearchBNDMq pattern-matcher.1.b2gm.hash-size = low pattern-matcher.1.b2gm.bf-size = medium pattern-matcher.2 = b2g pattern-matcher.2.b2g = (null) pattern-matcher.2.b2g.search-algo = B2gSearchBNDMq pattern-matcher.2.b2g.hash-size = low pattern-matcher.2.b2g.bf-size = medium pattern-matcher.3 = b3g pattern-matcher.3.b3g = (null) pattern-matcher.3.b3g.search-algo = B3gSearchBNDMq pattern-matcher.3.b3g.hash-size = low pattern-matcher.3.b3g.bf-size = medium pattern-matcher.4 = wumanber pattern-matcher.4.wumanber = (null) pattern-matcher.4.wumanber.hash-size = low pattern-matcher.4.wumanber.bf-size = medium defrag = (null) defrag.memcap = 32mb defrag.hash-size = 65536 defrag.trackers = 65535 defrag.max-frags = 65535 defrag.prealloc = yes defrag.timeout = 30 flow = (null) flow.memcap = 400mb flow.hash-size = 1048576 flow.prealloc = 10000 flow.emergency-recovery = 30 vlan = (null) vlan.use-for-tracking = true flow-timeouts = (null) flow-timeouts.default = (null) flow-timeouts.default.new = 3 flow-timeouts.default.established = 5 flow-timeouts.default.closed = 0 flow-timeouts.default.emergency-new = 3 flow-timeouts.default.emergency-established = 5 flow-timeouts.default.emergency-closed = 0 flow-timeouts.tcp = (null) flow-timeouts.tcp.new = 6 flow-timeouts.tcp.established = 8 flow-timeouts.tcp.closed = 0 flow-timeouts.tcp.emergency-new = 3 flow-timeouts.tcp.emergency-established = 5 flow-timeouts.tcp.emergency-closed = 0 flow-timeouts.udp = (null) flow-timeouts.udp.new = 3 flow-timeouts.udp.established = 8 flow-timeouts.udp.emergency-new = 3 flow-timeouts.udp.emergency-established = 5 flow-timeouts.icmp = (null) flow-timeouts.icmp.new = 3 flow-timeouts.icmp.established = 8 flow-timeouts.icmp.emergency-new = 1 flow-timeouts.icmp.emergency-established = 5 stream = (null) stream.memcap = 300mb stream.checksum-validation = no stream.inline = no stream.midstream = yes stream.async-oneside = true stream.prealloc-sessions = 10000 stream.reassembly = (null) stream.reassembly.memcap = 2300mb stream.reassembly.depth = 1mb stream.reassembly.toserver-chunk-size = 2560 stream.reassembly.toclient-chunk-size = 2560 stream.reassembly.randomize-chunk-size = yes host = (null) host.hash-size = 4096 host.prealloc = 1000 host.memcap = 16777216 logging = (null) logging.default-log-level = info logging.default-output-filter = logging.outputs = (null) logging.outputs.0 = console logging.outputs.0.console = (null) logging.outputs.0.console.enabled = yes logging.outputs.1 = file logging.outputs.1.file = (null) logging.outputs.1.file.enabled = yes logging.outputs.1.file.filename = /data/logs/suricata/suricata.log logging.outputs.2 = syslog logging.outputs.2.syslog = (null) logging.outputs.2.syslog.enabled = no logging.outputs.2.syslog.facility = local5 logging.outputs.2.syslog.format = [%i] <%d> -- mpipe = (null) mpipe.load-balance = dynamic mpipe.iqueue-packets = 512 mpipe.inputs = (null) mpipe.inputs.0 = interface mpipe.inputs.0.interface = xgbe2 mpipe.inputs.1 = interface mpipe.inputs.1.interface = xgbe3 mpipe.inputs.2 = interface mpipe.inputs.2.interface = xgbe4 mpipe.stack = (null) mpipe.stack.size128 = 0 mpipe.stack.size256 = 9 mpipe.stack.size512 = 0 mpipe.stack.size1024 = 0 mpipe.stack.size1664 = 7 mpipe.stack.size4096 = 0 mpipe.stack.size10386 = 0 mpipe.stack.size16384 = 0 mpipe.stack.cluster-type = cluster_flow pfring = (null) pfring.0 = interface pfring.0.interface = eth3 pfring.0.threads = 2 pfring.0.cluster-id = 98 pfring.0.cluster-type = cluster_flow pfring.1 = interface pfring.1.interface = eth2 pfring.1.threads = 2 pfring.1.cluster-id = 99 pfring.1.cluster-type = cluster_flow pcap = (null) pcap.0 = interface pcap.0.interface = eth0 pcap.1 = interface pcap.1.interface = default pcap-file = (null) pcap-file.checksum-checks = auto ipfw = default-rule-path = /home/sdgdb/etc rule-files = (null) rule-files.0 = sdgdb.rules classification-file = /home/sdgdb/etc/classification.config reference-config-file = /home/sdgdb/etc/reference.config vars = (null) vars.address-groups = (null) vars.address-groups.HOME_NET = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] vars.address-groups.EXTERNAL_NET = !$HOME_NET vars.address-groups.HTTP_SERVERS = $HOME_NET vars.address-groups.SMTP_SERVERS = $HOME_NET vars.address-groups.SQL_SERVERS = $HOME_NET vars.address-groups.DNS_SERVERS = $HOME_NET vars.address-groups.TELNET_SERVERS = $HOME_NET vars.address-groups.AIM_SERVERS = $EXTERNAL_NET vars.address-groups.DNP3_SERVER = $HOME_NET vars.address-groups.DNP3_CLIENT = $HOME_NET vars.address-groups.MODBUS_CLIENT = $HOME_NET vars.address-groups.MODBUS_SERVER = $HOME_NET vars.address-groups.ENIP_CLIENT = $HOME_NET vars.address-groups.ENIP_SERVER = $HOME_NET vars.port-groups = (null) vars.port-groups.HTTP_PORTS = 80 vars.port-groups.SHELLCODE_PORTS = !80 vars.port-groups.ORACLE_PORTS = 1521 vars.port-groups.SSH_PORTS = 22 vars.port-groups.DNP3_PORTS = 20000 action-order = (null) action-order.0 = pass action-order.1 = drop action-order.2 = reject action-order.3 = alert host-os-policy = (null) host-os-policy.windows = (null) host-os-policy.windows.0 = 0.0.0.0/0 host-os-policy.bsd = (null) host-os-policy.bsd-right = (null) host-os-policy.old-linux = (null) host-os-policy.linux = (null) host-os-policy.linux.0 = 10.0.0.0/8 host-os-policy.linux.1 = 192.168.1.100 host-os-policy.linux.2 = 8762:2352:6241:7245:E000:0000:0000:0000 host-os-policy.linux.3 = 126.198.135.11 host-os-policy.old-solaris = (null) host-os-policy.solaris = (null) host-os-policy.solaris.0 = ::1 host-os-policy.hpux10 = (null) host-os-policy.hpux11 = (null) host-os-policy.irix = (null) host-os-policy.macos = (null) host-os-policy.vista = (null) host-os-policy.windows2k3 = (null) asn1-max-frames = 256 engine-analysis = (null) engine-analysis.rules-fast-pattern = yes engine-analysis.rules = yes pcre = (null) pcre.match-limit = 3500 pcre.match-limit-recursion = 1500 app-layer = (null) app-layer.protocols = (null) app-layer.protocols.tls = (null) app-layer.protocols.tls.enabled = no app-layer.protocols.tls.detection-ports = (null) app-layer.protocols.tls.detection-ports.dp = 443 app-layer.protocols.dcerpc = (null) app-layer.protocols.dcerpc.enabled = yes app-layer.protocols.ftp = (null) app-layer.protocols.ftp.enabled = no app-layer.protocols.ssh = (null) app-layer.protocols.ssh.enabled = no app-layer.protocols.smtp = (null) app-layer.protocols.smtp.enabled = no app-layer.protocols.imap = (null) app-layer.protocols.imap.enabled = no app-layer.protocols.msn = (null) app-layer.protocols.msn.enabled = no app-layer.protocols.smb = (null) app-layer.protocols.smb.enabled = no app-layer.protocols.smb.detection-ports = (null) app-layer.protocols.smb.detection-ports.dp = 139 app-layer.protocols.dns = (null) app-layer.protocols.dns.global-memcap = 128kb app-layer.protocols.dns.state-memcap = 64kb app-layer.protocols.dns.tcp = (null) app-layer.protocols.dns.tcp.enabled = yes app-layer.protocols.dns.tcp.detection-ports = (null) app-layer.protocols.dns.tcp.detection-ports.dp = 53 app-layer.protocols.dns.udp = (null) app-layer.protocols.dns.udp.enabled = yes app-layer.protocols.dns.udp.detection-ports = (null) app-layer.protocols.dns.udp.detection-ports.dp = 53 app-layer.protocols.http = (null) app-layer.protocols.http.enabled = yes app-layer.protocols.http.libhtp = (null) app-layer.protocols.http.libhtp.default-config = (null) app-layer.protocols.http.libhtp.default-config.personality = IDS app-layer.protocols.http.libhtp.default-config.request-body-limit = 3072 app-layer.protocols.http.libhtp.default-config.response-body-limit = 3072 app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 7kb app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 32kb app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 7kb app-layer.protocols.http.libhtp.default-config.double-decode-path = no app-layer.protocols.http.libhtp.default-config.double-decode-query = no app-layer.protocols.http.libhtp.server-config = profiling = (null) profiling.sample-rate = 1000 profiling.rules = (null) profiling.rules.enabled = no profiling.rules.filename = rule_perf.log profiling.rules.append = yes profiling.rules.sort = avgticks profiling.rules.limit = 100 profiling.keywords = (null) profiling.keywords.enabled = no profiling.keywords.filename = keyword_perf.log profiling.keywords.append = yes profiling.packets = (null) profiling.packets.enabled = no profiling.packets.filename = packet_stats.log profiling.packets.append = yes profiling.packets.csv = (null) profiling.packets.csv.enabled = no profiling.packets.csv.filename = packet_stats.csv profiling.locks = (null) profiling.locks.enabled = no profiling.locks.filename = lock_stats.log profiling.locks.append = yes coredump = (null) coredump.max-dump = unlimited napatech = (null) napatech.hba = -1 napatech.use-all-streams = yes napatech.streams = (null) napatech.streams.0 = 1 napatech.streams.1 = 2 napatech.streams.2 = 3