|
[519355] Notice: suricata: This is Suricata version 7.0.3 RELEASE running in SYSTEM mode
|
|
[519355] Info: cpu: CPUs/cores online: 20
|
|
[519355] Info: suricata: Setting engine mode to IDS mode by default
|
|
[519355] Info: exception-policy: master exception-policy set to: auto
|
|
[519355] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519355] Config: app-layer-htp: 'default' server has 'request-body-minimal-inspect-size' set to 32816 and 'request-body-inspect-window' set to 4118 after randomization.
|
|
[519355] Config: app-layer-htp: 'default' server has 'response-body-minimal-inspect-size' set to 40417 and 'response-body-inspect-window' set to 16048 after randomization.
|
|
[519355] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864
|
|
[519355] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864
|
|
[519355] Config: app-layer-enip: Protocol detection and parser disabled for enip protocol.
|
|
[519355] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3.
|
|
[519355] Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
|
|
[519355] Config: host: preallocated 1000 hosts of size 136
|
|
[519355] Config: host: host memory usage: 398144 bytes, maximum: 33554432
|
|
[519355] Config: coredump-config: Core dump size set to unlimited.
|
|
[519355] Info: logopenfile: fast output device (regular) initialized: fast.log
|
|
[519355] Info: logopenfile: eve-log output device (regular) initialized: eve.json
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'alert'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'frame'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'anomaly'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'http'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'dns'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'tls'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'files'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'smtp'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'smb'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'dcerpc'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'krb5'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'dhcp'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'ssh'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'mqtt'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'pgsql'
|
|
[519355] Config: runmodes: enabling 'eve-log' module 'stats'
|
|
[519355] Info: log-pcap: Using log dir .
|
|
[519355] Info: log-pcap: Selected pcap-log compression method: none
|
|
[519355] Info: log-pcap: Selected pcap-log conditional logging: all
|
|
[519355] Info: log-pcap: using normal logging
|
|
[519355] Info: logopenfile: stats output device (regular) initialized: stats.log
|
|
[519355] Info: counters: Alerts: 0
|
|
[519355] Perf: ippair: ippair memory usage: 0 bytes, maximum: 0
|
|
[519355] Config: landlock: Landlock is not enabled in configuration
|
|
[519355] Config: suricata: Delayed detect disabled
|
|
[519355] Config: detect: pattern matchers: MPM: ac, SPM: bm
|
|
[519355] Config: detect: grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
|
|
[519355] Config: detect: grouping: udp-whitelist (default) 53, 135, 5060
|
|
[519355] Config: detect: prefilter engines: MPM
|
|
[519355] Config: reputation: IP reputation disabled
|
|
[519355] Config: detect: Loading rule file: /home/user/rules/suricata.local.rules
|
|
[519355] Info: detect: 1 rule files processed. 48 rules successfully loaded, 0 rules failed, 0
|
|
[519355] Info: threshold-config: Threshold config parsed: 0 rule(s) found
|
|
[519355] Info: detect: 48 signatures processed. 0 are IP-only rules, 42 are inspecting packet payload, 6 inspect application layer, 0 are decoder event only
|
|
[519355] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete
|
|
[519355] Perf: detect: TCP toserver: 3 port groups, 2 unique SGH's, 1 copies
|
|
[519355] Perf: detect: TCP toclient: 1 port groups, 1 unique SGH's, 0 copies
|
|
[519355] Perf: detect: UDP toserver: 1 port groups, 1 unique SGH's, 0 copies
|
|
[519355] Perf: detect: UDP toclient: 1 port groups, 1 unique SGH's, 0 copies
|
|
[519355] Perf: detect: OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
|
|
[519355] Perf: detect: OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
|
|
[519355] Perf: detect: Unique rule groups: 5
|
|
[519355] Perf: detect: Builtin MPM "toserver TCP packet": 2
|
|
[519355] Perf: detect: Builtin MPM "toclient TCP packet": 1
|
|
[519355] Perf: detect: Builtin MPM "toserver TCP stream": 2
|
|
[519355] Perf: detect: Builtin MPM "toclient TCP stream": 1
|
|
[519355] Perf: detect: Builtin MPM "toserver UDP packet": 1
|
|
[519355] Perf: detect: Builtin MPM "toclient UDP packet": 1
|
|
[519355] Perf: detect: Builtin MPM "other IP packet": 0
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_uri (http)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_client_body (http)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_host (http)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toclient file_data (nfs)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver file_data (nfs)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toclient file_data (smb)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver file_data (smb)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toclient file_data (ftp)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver file_data (ftp)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toclient file_data (http)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver file_data (http)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toclient file_data (http2)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver file_data (http2)": 2
|
|
[519355] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2
|
|
[519355] Config: tmqh-flow: AutoFP mode using "Hash" flow load balancer
|
|
[519355] Info: unix-manager: unix socket '/usr/local/var/run/suricata/suricata-command.socket'
|
|
[519355] Notice: threads: Threads created -> Engine started.
|
|
[519373] Info: unix-socket: Added file '/home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/cme_query.pcap' to list
|
|
[519373] Info: unix-socket: pcap-file.tenant-id not set
|
|
[519373] Info: unix-socket: Starting run for '/home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/cme_query.pcap'
|
|
[519373] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: defrag-hash: allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
|
|
[519373] Config: defrag-hash: preallocated 65535 defrag trackers of size 160
|
|
[519373] Config: defrag-hash: defrag memory usage: 14155616 bytes, maximum: 33554432
|
|
[519373] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6
|
|
[519373] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread)
|
|
[519373] Config: stream-tcp: stream "memcap": 67108864
|
|
[519373] Config: stream-tcp: stream "midstream" session pickups: enabled
|
|
[519373] Config: stream-tcp: stream "async-oneside": disabled
|
|
[519373] Config: stream-tcp: stream "checksum-validation": disabled
|
|
[519373] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: stream-tcp: stream."inline": disabled
|
|
[519373] Config: stream-tcp: stream "bypass": disabled
|
|
[519373] Config: stream-tcp: stream "max-syn-queued": 10
|
|
[519373] Config: stream-tcp: stream "max-synack-queued": 5
|
|
[519373] Config: stream-tcp: stream.reassembly "memcap": 268435456
|
|
[519373] Config: stream-tcp: stream.reassembly "depth": 1048576
|
|
[519373] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 2434
|
|
[519373] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 2461
|
|
[519373] Config: stream-tcp: stream.reassembly.raw: enabled
|
|
[519373] Config: stream-tcp: stream.liberal-timestamps: disabled
|
|
[519373] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048
|
|
[519373] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8
|
|
[519373] Info: logopenfile: fast output device (regular) initialized: fast.log
|
|
[519373] Info: logopenfile: eve-log output device (regular) initialized: eve.json
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'alert'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'frame'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'anomaly'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'http'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'dns'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'tls'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'files'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'smtp'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'smb'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'dcerpc'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'krb5'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'dhcp'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'ssh'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'mqtt'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'pgsql'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'stats'
|
|
[519373] Info: log-pcap: Using log dir /home/user/working/test_pcaps/tests/logs/
|
|
[519373] Info: log-pcap: Selected pcap-log compression method: none
|
|
[519373] Info: log-pcap: Selected pcap-log conditional logging: all
|
|
[519373] Info: log-pcap: using normal logging
|
|
[519373] Info: logopenfile: stats output device (regular) initialized: stats.log
|
|
[519373] Config: tmqh-flow: AutoFP mode using "Hash" flow load balancer
|
|
[519460] Info: log-pcap: Initializing PCAP ring buffer for /home/user/working/test_pcaps/tests/logs//log.pcap.
|
|
[519460] Notice: log-pcap: Ring buffer initialized with 260 files.
|
|
[519373] Config: flow-manager: using 1 flow manager threads
|
|
[519373] Config: flow-manager: using 1 flow recycler threads
|
|
[519459] Info: pcap: Starting file run for /home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/cme_query.pcap
|
|
[519459] Info: pcap: pcap file /home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/cme_query.pcap end of file reached (pcap err code 0)
|
|
[519459] Info: unix-socket: Marking current task as done
|
|
[519373] Info: unix-socket: Resetting engine state
|
|
[519481] Perf: flow-manager: 2 flows processed
|
|
[519459] Notice: pcap: read 1 file, 46 packets, 7894 bytes
|
|
[519373] Perf: tmqh-flow: AutoFP - Total flow handler queues - 20
|
|
[519373] Info: counters: Alerts: 0
|
|
[519373] Perf: ippair: ippair memory usage: 414144 bytes, maximum: 16777216
|
|
[519373] Info: unix-socket: Added file '/home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/evil_png_etc_passwd.pcap' to list
|
|
[519373] Info: unix-socket: pcap-file.tenant-id not set
|
|
[519373] Info: unix-socket: Starting run for '/home/user/working/test_pcaps/tests/pcap_logging_socket_mode_bug/pcaps/evil_png_etc_passwd.pcap'
|
|
[519373] Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: defrag-hash: allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
|
|
[519373] Config: defrag-hash: preallocated 65535 defrag trackers of size 160
|
|
[519373] Config: defrag-hash: defrag memory usage: 14155616 bytes, maximum: 33554432
|
|
[519373] Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6
|
|
[519373] Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread)
|
|
[519373] Config: stream-tcp: stream "memcap": 67108864
|
|
[519373] Config: stream-tcp: stream "midstream" session pickups: enabled
|
|
[519373] Config: stream-tcp: stream "async-oneside": disabled
|
|
[519373] Config: stream-tcp: stream "checksum-validation": disabled
|
|
[519373] Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch)
|
|
[519373] Config: stream-tcp: stream."inline": disabled
|
|
[519373] Config: stream-tcp: stream "bypass": disabled
|
|
[519373] Config: stream-tcp: stream "max-syn-queued": 10
|
|
[519373] Config: stream-tcp: stream "max-synack-queued": 5
|
|
[519373] Config: stream-tcp: stream.reassembly "memcap": 268435456
|
|
[519373] Config: stream-tcp: stream.reassembly "depth": 1048576
|
|
[519373] Config: stream-tcp: stream.reassembly "toserver-chunk-size": 2609
|
|
[519373] Config: stream-tcp: stream.reassembly "toclient-chunk-size": 2681
|
|
[519373] Config: stream-tcp: stream.reassembly.raw: enabled
|
|
[519373] Config: stream-tcp: stream.liberal-timestamps: disabled
|
|
[519373] Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048
|
|
[519373] Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8
|
|
[519373] Info: logopenfile: fast output device (regular) initialized: fast.log
|
|
[519373] Info: logopenfile: eve-log output device (regular) initialized: eve.json
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'alert'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'frame'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'anomaly'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'http'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'dns'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'tls'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'files'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'smtp'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'smb'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'dcerpc'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'krb5'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'dhcp'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'ssh'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'mqtt'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'pgsql'
|
|
[519373] Config: runmodes: enabling 'eve-log' module 'stats'
|
|
[519373] Info: log-pcap: Using log dir /home/user/working/test_pcaps/tests/logs/
|
|
[519373] Info: log-pcap: Selected pcap-log compression method: none
|
|
[519373] Info: log-pcap: Selected pcap-log conditional logging: all
|
|
[519373] Info: log-pcap: using normal logging
|
|
[519373] Info: logopenfile: stats output device (regular) initialized: stats.log
|
|
[519373] Config: tmqh-flow: AutoFP mode using "Hash" flow load balancer
|
|
[519490] Error: log-pcap: Pcap logging with multiple link type is not supported.
|