sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0 -v 9/6/2017 -- 21:51:04 - - This is Suricata version 3.0.1 RELEASE 9/6/2017 -- 21:51:04 - - CPUs/cores online: 4 9/6/2017 -- 21:51:04 - - 'default' server has 'request-body-minimal-inspe ct-size' set to 33882 and 'request-body-inspect-window' set to 4053 after random ization. 9/6/2017 -- 21:51:04 - - 'default' server has 'response-body-minimal-insp ect-size' set to 42119 and 'response-body-inspect-window' set to 16872 after ran domization. 9/6/2017 -- 21:51:04 - - DNS request flood protection level: 500 9/6/2017 -- 21:51:04 - - DNS per flow memcap (state-memcap): 524288 9/6/2017 -- 21:51:04 - - DNS global memcap: 16777216 9/6/2017 -- 21:51:04 - - Protocol detection and parser disabled for modbu s protocol. 9/6/2017 -- 21:51:04 - - Found an MTU of 1500 for 'eth0' 9/6/2017 -- 21:51:04 - - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32 9/6/2017 -- 21:51:04 - - preallocated 65535 defrag trackers of size 116 9/6/2017 -- 21:51:04 - - defrag memory usage: 9699212 bytes, maximum: 335 54432 9/6/2017 -- 21:51:04 - - allocated 262144 bytes of memory for the host ha sh... 4096 buckets of size 64 9/6/2017 -- 21:51:04 - - preallocated 1000 hosts of size 84 9/6/2017 -- 21:51:04 - - host memory usage: 346144 bytes, maximum: 167772 16 9/6/2017 -- 21:51:04 - - allocated 4194304 bytes of memory for the flow h ash... 65536 buckets of size 64 9/6/2017 -- 21:51:04 - - preallocated 10000 flows of size 212 9/6/2017 -- 21:51:04 - - flow memory usage: 6314304 bytes, maximum: 67108 864 9/6/2017 -- 21:51:04 - - stream "prealloc-sessions": 2048 (per thread) 9/6/2017 -- 21:51:04 - - stream "memcap": 33554432 9/6/2017 -- 21:51:04 - - stream "midstream" session pickups: disabled 9/6/2017 -- 21:51:04 - - stream "async-oneside": disabled 9/6/2017 -- 21:51:04 - - stream "checksum-validation": enabled 9/6/2017 -- 21:51:04 - - stream."inline": disabled 9/6/2017 -- 21:51:04 - - stream "max-synack-queued": 5 9/6/2017 -- 21:51:04 - - stream.reassembly "memcap": 134217728 9/6/2017 -- 21:51:04 - - stream.reassembly "depth": 1048576 9/6/2017 -- 21:51:04 - - stream.reassembly "toserver-chunk-size": 2529 9/6/2017 -- 21:51:04 - - stream.reassembly "toclient-chunk-size": 2640 9/6/2017 -- 21:51:04 - - stream.reassembly.raw: enabled 9/6/2017 -- 21:51:04 - - segment pool: pktsize 4, prealloc 256 9/6/2017 -- 21:51:04 - - segment pool: pktsize 16, prealloc 512 9/6/2017 -- 21:51:04 - - segment pool: pktsize 112, prealloc 512 9/6/2017 -- 21:51:04 - - segment pool: pktsize 248, prealloc 512 9/6/2017 -- 21:51:04 - - segment pool: pktsize 512, prealloc 512 9/6/2017 -- 21:51:04 - - segment pool: pktsize 768, prealloc 1024 9/6/2017 -- 21:51:04 - - segment pool: pktsize 1448, prealloc 1024 9/6/2017 -- 21:51:04 - - segment pool: pktsize 65535, prealloc 128 9/6/2017 -- 21:51:04 - - stream.reassembly "chunk-prealloc": 250 9/6/2017 -- 21:51:04 - - stream.reassembly "zero-copy-size": 128 9/6/2017 -- 21:51:04 - - allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64 9/6/2017 -- 21:51:04 - - preallocated 1000 ippairs of size 92 9/6/2017 -- 21:51:04 - - ippair memory usage: 354144 bytes, maximum: 1677 7216 9/6/2017 -- 21:51:04 - - Delayed detect disabled 9/6/2017 -- 21:51:04 - - IP reputation disabled 9/6/2017 -- 21:51:04 - - Loading rule file: /opt/suricata/etc/suricata/ru les/botcc.rules 9/6/2017 -- 21:51:04 - - Loading rule file: /opt/suricata/etc/suricata/ru les/ciarmy.rules 9/6/2017 -- 21:51:04 - - Loading rule file: /opt/suricata/etc/suricata/ru les/compromised.rules 9/6/2017 -- 21:51:04 - - Loading rule file: /opt/suricata/etc/suricata/ru les/drop.rules 9/6/2017 -- 21:51:05 - - Loading rule file: /opt/suricata/etc/suricata/ru les/dshield.rules 9/6/2017 -- 21:51:05 - - Loading rule file: /opt/suricata/etc/suricata/ru les/emerging-attack_response.rules 9/6/2017 -- 21:51:05 - - Loading rule file: /opt/suricata/etc/suricata/ru les/emerging-chat.rules 9/6/2017 -- 21:51:05 - - Loading rule file: /opt/suricata/etc/suricata/ru les/emerging-current_events.rules 9/6/2017 -- 21:51:11 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-dns.rules 9/6/2017 -- 21:51:11 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-dos.rules 9/6/2017 -- 21:51:12 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-exploit.rules 9/6/2017 -- 21:51:13 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-ftp.rules 9/6/2017 -- 21:51:13 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-imap.rules 9/6/2017 -- 21:51:13 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-malware.rules 9/6/2017 -- 21:51:15 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-misc.rules 9/6/2017 -- 21:51:15 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-mobile_malware.rules 9/6/2017 -- 21:51:15 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-netbios.rules 9/6/2017 -- 21:51:18 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-p2p.rules 9/6/2017 -- 21:51:18 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-policy.rules 9/6/2017 -- 21:51:19 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-pop3.rules 9/6/2017 -- 21:51:19 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-rpc.rules 9/6/2017 -- 21:51:20 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-scada.rules 9/6/2017 -- 21:51:20 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-scan.rules 9/6/2017 -- 21:51:20 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-smtp.rules 9/6/2017 -- 21:51:20 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-snmp.rules 9/6/2017 -- 21:51:20 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-sql.rules 9/6/2017 -- 21:51:21 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-telnet.rules 9/6/2017 -- 21:51:21 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-tftp.rules 9/6/2017 -- 21:51:21 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-trojan.rules 9/6/2017 -- 21:51:37 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-user_agents.rules 9/6/2017 -- 21:51:37 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-voip.rules 9/6/2017 -- 21:51:37 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-web_client.rules 9/6/2017 -- 21:51:37 - - Loading rule file: /opt/suricata/etc/suricata/rules/files.rules 9/6/2017 -- 21:51:37 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-web_server.rules 9/6/2017 -- 21:51:38 - - Loading rule file: /opt/suricata/etc/suricata/rules/emerging-worm.rules 9/6/2017 -- 21:51:38 - - Loading rule file: /opt/suricata/etc/suricata/rules/tor.rules 9/6/2017 -- 21:51:39 - - Loading rule file: /opt/suricata/etc/suricata/rules/decoder-events.rules 9/6/2017 -- 21:51:39 - - Loading rule file: /opt/suricata/etc/suricata/rules/stream-events.rules 9/6/2017 -- 21:51:39 - - Loading rule file: /opt/suricata/etc/suricata/rules/http-events.rules 9/6/2017 -- 21:51:39 - - Loading rule file: /opt/suricata/etc/suricata/rules/smtp-events.rules 9/6/2017 -- 21:51:39 - - Loading rule file: /opt/suricata/etc/suricata/rules/dns-events.rules 9/6/2017 -- 21:51:39 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata/etc/suricata/rules/tls-events.rules 9/6/2017 -- 21:51:39 - - Loading rule file: /opt/suricata/etc/suricata/rules/app-layer-events.rules 9/6/2017 -- 21:51:39 - - 43 rule files processed. 13237 rules successfully loaded, 0 rules failed 9/6/2017 -- 21:51:40 - - 13245 signatures processed. 1235 are IP-only rules, 5485 are inspecting packet payload, 8022 inspect application layer, 100 are decoder event only 9/6/2017 -- 21:51:40 - - building signature grouping structure, stage 1: preprocessing rules... complete 9/6/2017 -- 21:51:42 - - building signature grouping structure, stage 2: building source address list... complete 9/6/2017 -- 21:51:52 - - building signature grouping structure, stage 3: building destination address lists... complete 9/6/2017 -- 21:51:59 - - Threshold config parsed: 0 rule(s) found 9/6/2017 -- 21:51:59 - - Core dump size set to unlimited. 9/6/2017 -- 21:51:59 - - fast output device (regular) initialized: fast.log 9/6/2017 -- 21:51:59 - - eve-log output device (regular) initialized: eve.json 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'alert' 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'http' 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'dns' 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'tls' 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'files' 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'smtp' 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'ssh' 9/6/2017 -- 21:51:59 - - enabling 'eve-log' module 'stats' 9/6/2017 -- 21:51:59 - - http-log output device (regular) initialized: http.log 9/6/2017 -- 21:51:59 - - stats output device (regular) initialized: stats.log 9/6/2017 -- 21:51:59 - - forcing md5 calculation for stored files 9/6/2017 -- 21:51:59 - - storing files in /var/log/suricata//files 9/6/2017 -- 21:51:59 - - file-log output device (regular) initialized: files-json.log 9/6/2017 -- 21:51:59 - - forcing md5 calculation for logged files 9/6/2017 -- 21:51:59 - - Using 4 AF_PACKET threads for interface eth0 9/6/2017 -- 21:51:59 - - Enabling mmaped capture on iface eth0 9/6/2017 -- 21:51:59 - - Using flow cluster mode for AF_PACKET (iface eth0) 9/6/2017 -- 21:51:59 - - Using defrag kernel functionality for AF_PACKET (iface eth0) 9/6/2017 -- 21:51:59 - - NIC offloading on eth0: GRO: unset, LRO: unset 9/6/2017 -- 21:51:59 - - eth0: enabling zero copy mode 9/6/2017 -- 21:51:59 - - eth0: enabling zero copy mode by using data release call 9/6/2017 -- 21:51:59 - - Going to use 4 thread(s) 9/6/2017 -- 21:51:59 - - preallocated 1024 packets. Total memory 2895872 9/6/2017 -- 21:51:59 - - id 43 9/6/2017 -- 21:51:59 - - preallocated 1024 packets. Total memory 2895872 9/6/2017 -- 21:51:59 - - preallocated 1024 packets. Total memory 2895872 9/6/2017 -- 21:51:59 - - preallocated 1024 packets. Total memory 2895872 9/6/2017 -- 21:51:59 - - using 1 flow manager threads 9/6/2017 -- 21:51:59 - - preallocated 1024 packets. Total memory 2895872 9/6/2017 -- 21:51:59 - - using 1 flow recycler threads 9/6/2017 -- 21:51:59 - - all 4 packet processing threads, 4 management threads initialized, engine started. 9/6/2017 -- 21:51:59 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1584 frame_nr=520 9/6/2017 -- 21:51:59 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1584 frame_nr=520 9/6/2017 -- 21:51:59 - - Starting to read on AFPacketeth01 9/6/2017 -- 21:51:59 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1584 frame_nr=520 9/6/2017 -- 21:51:59 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1584 frame_nr=520 9/6/2017 -- 21:52:00 - - All AFP capture threads are running.