Project

General

Profile

Actions

Support #1291

closed

http.log is empty

Added by Mike Zhong about 10 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

i used default suricata.yaml
and change set

af-packet:
- interface: eth1

stream:
memcap: 32mb
checksum-validation: no

start suricata
/usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -k none --af-packet=eth1 -v -D

but http.log is empty

Features for eth1:
rx-checksumming: off
tx-checksumming: off
    tx-checksum-ipv4: off [fixed]
    tx-checksum-unneeded: off [fixed]
    tx-checksum-ip-generic: off
    tx-checksum-ipv6: off [fixed]
    tx-checksum-fcoe-crc: off [fixed]
    tx-checksum-sctp: off [fixed]
scatter-gather: off
    tx-scatter-gather: off
    tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
    tx-tcp-segmentation: off
    tx-tcp-ecn-segmentation: off [fixed]
    tx-tcp6-segmentation: off
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: on
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]

stat.log

Date: 9/30/2014 -- 09:30:10 (uptime: 0d, 00h 05m 41s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
capture.kernel_packets    | RxAFP1                    | 507908
capture.kernel_drops      | RxAFP1                    | 0
dns.memuse                | RxAFP1                    | 28273
dns.memcap_state          | RxAFP1                    | 0
dns.memcap_global         | RxAFP1                    | 0
decoder.pkts              | RxAFP1                    | 507904
decoder.bytes             | RxAFP1                    | 155521861
decoder.invalid           | RxAFP1                    | 0
decoder.ipv4              | RxAFP1                    | 507655
decoder.ipv6              | RxAFP1                    | 0
decoder.ethernet          | RxAFP1                    | 507904
decoder.raw               | RxAFP1                    | 0
decoder.sll               | RxAFP1                    | 0
decoder.tcp               | RxAFP1                    | 423313
decoder.udp               | RxAFP1                    | 79878
decoder.sctp              | RxAFP1                    | 0
decoder.icmpv4            | RxAFP1                    | 4464
decoder.icmpv6            | RxAFP1                    | 0
decoder.ppp               | RxAFP1                    | 0
decoder.pppoe             | RxAFP1                    | 0
decoder.gre               | RxAFP1                    | 0
decoder.vlan              | RxAFP1                    | 0
decoder.vlan_qinq         | RxAFP1                    | 0
decoder.teredo            | RxAFP1                    | 0
decoder.ipv4_in_ipv6      | RxAFP1                    | 0
decoder.ipv6_in_ipv6      | RxAFP1                    | 0
decoder.avg_pkt_size      | RxAFP1                    | 306
decoder.max_pkt_size      | RxAFP1                    | 1514
defrag.ipv4.fragments     | RxAFP1                    | 0
defrag.ipv4.reassembled   | RxAFP1                    | 0
defrag.ipv4.timeouts      | RxAFP1                    | 0
defrag.ipv6.fragments     | RxAFP1                    | 0
defrag.ipv6.reassembled   | RxAFP1                    | 0
defrag.ipv6.timeouts      | RxAFP1                    | 0
defrag.max_frag_hits      | RxAFP1                    | 0
capture.kernel_packets    | RxAFP2                    | 412127
capture.kernel_drops      | RxAFP2                    | 0
dns.memuse                | RxAFP2                    | 27860
dns.memcap_state          | RxAFP2                    | 0
dns.memcap_global         | RxAFP2                    | 0
decoder.pkts              | RxAFP2                    | 412126
decoder.bytes             | RxAFP2                    | 109512422
decoder.invalid           | RxAFP2                    | 0
decoder.ipv4              | RxAFP2                    | 412126
decoder.ipv6              | RxAFP2                    | 2
decoder.ethernet          | RxAFP2                    | 412126
decoder.raw               | RxAFP2                    | 0
decoder.sll               | RxAFP2                    | 0
decoder.tcp               | RxAFP2                    | 283517
decoder.udp               | RxAFP2                    | 120425
decoder.sctp              | RxAFP2                    | 0
decoder.icmpv4            | RxAFP2                    | 7745
decoder.icmpv6            | RxAFP2                    | 0
decoder.ppp               | RxAFP2                    | 0
decoder.pppoe             | RxAFP2                    | 0
decoder.gre               | RxAFP2                    | 0
decoder.vlan              | RxAFP2                    | 0
decoder.vlan_qinq         | RxAFP2                    | 0
decoder.teredo            | RxAFP2                    | 2
decoder.ipv4_in_ipv6      | RxAFP2                    | 0
decoder.ipv6_in_ipv6      | RxAFP2                    | 0
decoder.avg_pkt_size      | RxAFP2                    | 265
decoder.max_pkt_size      | RxAFP2                    | 1514
defrag.ipv4.fragments     | RxAFP2                    | 0
defrag.ipv4.reassembled   | RxAFP2                    | 0
defrag.ipv4.timeouts      | RxAFP2                    | 0
defrag.ipv6.fragments     | RxAFP2                    | 0
defrag.ipv6.reassembled   | RxAFP2                    | 0
defrag.ipv6.timeouts      | RxAFP2                    | 0
defrag.max_frag_hits      | RxAFP2                    | 0
tcp.sessions              | Detect                    | 20259
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 0
tcp.invalid_checksum      | Detect                    | 0
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 0
tcp.memuse                | Detect                    | 2874240
tcp.syn                   | Detect                    | 37616
tcp.synack                | Detect                    | 2675
tcp.rst                   | Detect                    | 8360
dns.memuse                | Detect                    | 0
dns.memcap_state          | Detect                    | 0
dns.memcap_global         | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.stream_depth_reached  | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
http.memuse               | Detect                    | 0
http.memcap               | Detect                    | 0
detect.alert              | Detect                    | 40
flow_mgr.closed_pruned    | FlowManagerThread         | 3888
flow_mgr.new_pruned       | FlowManagerThread         | 23623
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 9369736
flow.spare                | FlowManagerThread         | 10073
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0
cat /usr/local/var/log/suricatasuricata.log
30/9/2014 -- 09:31:33 - <Notice> - This is Suricata version 2.0.4 RELEASE
30/9/2014 -- 09:31:33 - <Info> - CPUs/cores online: 2
30/9/2014 -- 09:31:33 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
30/9/2014 -- 09:31:33 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
30/9/2014 -- 09:31:33 - <Info> - HTTP memcap: 67108864
30/9/2014 -- 09:31:33 - <Info> - DNS request flood protection level: 500
30/9/2014 -- 09:31:33 - <Info> - DNS per flow memcap (state-memcap): 524288
30/9/2014 -- 09:31:33 - <Info> - DNS global memcap: 16777216
30/9/2014 -- 09:31:33 - <Info> - Found an MTU of 1500 for 'eth1'
30/9/2014 -- 09:31:33 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
30/9/2014 -- 09:31:33 - <Info> - preallocated 65535 defrag trackers of size 168
30/9/2014 -- 09:31:33 - <Info> - defrag memory usage: 14679896 bytes, maximum: 33554432
30/9/2014 -- 09:31:33 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
30/9/2014 -- 09:31:33 - <Info> - preallocated 1024 packets. Total memory 3567616
30/9/2014 -- 09:31:33 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
30/9/2014 -- 09:31:33 - <Info> - preallocated 1000 hosts of size 112
30/9/2014 -- 09:31:33 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
30/9/2014 -- 09:31:33 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
30/9/2014 -- 09:31:33 - <Info> - preallocated 10000 flows of size 280
30/9/2014 -- 09:31:33 - <Info> - flow memory usage: 7074304 bytes, maximum: 67108864
30/9/2014 -- 09:31:33 - <Info> - IP reputation disabled
30/9/2014 -- 09:31:33 - <Info> - using magic-file /usr/share/file/magic
30/9/2014 -- 09:31:33 - <Info> - Delayed detect disabled
30/9/2014 -- 09:31:38 - <Info> - 2 rule files processed. 15155 rules successfully loaded, 0 rules failed
30/9/2014 -- 09:31:38 - <Info> - 15163 signatures processed. 885 are IP-only rules, 5155 are inspecting packet payload, 11649 inspect application layer, 0 are decoder event only
30/9/2014 -- 09:31:38 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete
30/9/2014 -- 09:31:39 - <Info> - building signature grouping structure, stage 2: building source address list... complete
30/9/2014 -- 09:31:41 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
30/9/2014 -- 09:31:42 - <Info> - Threshold config parsed: 0 rule(s) found
30/9/2014 -- 09:31:42 - <Info> - Core dump size set to unlimited.
30/9/2014 -- 09:31:42 - <Info> - dropped the caps for main thread
30/9/2014 -- 09:31:42 - <Info> - fast output device (regular) initialized: fast.log
30/9/2014 -- 09:31:42 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.
30/9/2014 -- 09:31:42 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
30/9/2014 -- 09:31:42 - <Info> - http-log output device (regular) initialized: http.log
30/9/2014 -- 09:31:42 - <Info> - Enabling mmaped capture on iface eth1
30/9/2014 -- 09:31:42 - <Info> - Using flow cluster mode for AF_PACKET (iface eth1)
30/9/2014 -- 09:31:42 - <Info> - Using defrag kernel functionality for AF_PACKET (iface eth1)
30/9/2014 -- 09:31:42 - <Info> - Going to use 2 ReceiveAFP receive thread(s)
30/9/2014 -- 09:31:42 - <Info> - Enabling zero copy mode by using data release call
30/9/2014 -- 09:31:42 - <Info> - Enabling zero copy mode by using data release call
30/9/2014 -- 09:31:42 - <Info> - RunModeIdsAFPAutoFp initialised
30/9/2014 -- 09:31:42 - <Info> - stream "prealloc-sessions": 2048 (per thread)
30/9/2014 -- 09:31:42 - <Info> - stream "memcap": 33554432
30/9/2014 -- 09:31:42 - <Info> - stream "midstream" session pickups: disabled
30/9/2014 -- 09:31:42 - <Info> - stream "async-oneside": disabled
30/9/2014 -- 09:31:42 - <Info> - stream "checksum-validation": disabled
30/9/2014 -- 09:31:42 - <Info> - stream."inline": disabled
30/9/2014 -- 09:31:42 - <Info> - stream "max-synack-queued": 5
30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "memcap": 134217728
30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "depth": 1048576
30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "toserver-chunk-size": 2513
30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "toclient-chunk-size": 2529
30/9/2014 -- 09:31:42 - <Info> - stream.reassembly.raw: enabled
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 4, prealloc 256
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 16, prealloc 512
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 112, prealloc 512
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 248, prealloc 512
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 512, prealloc 512
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 768, prealloc 1024
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 1448, prealloc 1024
30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 65535, prealloc 128
30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "chunk-prealloc": 250
30/9/2014 -- 09:31:42 - <Notice> - all 5 packet processing threads, 3 management threads initialized, engine started.
30/9/2014 -- 09:31:42 - <Info> - Generic Receive Offload is unset on eth1
30/9/2014 -- 09:31:42 - <Info> - Large Receive Offload is unset on eth1
30/9/2014 -- 09:31:42 - <Info> - AF_PACKET RX Ring params: block_size=32768 block_nr=52 frame_size=1584 frame_nr=1040
30/9/2014 -- 09:31:42 - <Info> - Using interface 'eth1' via socket 8
30/9/2014 -- 09:31:42 - <Info> - Thread RxAFP1 using socket 8
30/9/2014 -- 09:31:42 - <Info> - Generic Receive Offload is unset on eth1
30/9/2014 -- 09:31:42 - <Info> - Large Receive Offload is unset on eth1
30/9/2014 -- 09:31:42 - <Info> - AF_PACKET RX Ring params: block_size=32768 block_nr=52 frame_size=1584 frame_nr=1040
30/9/2014 -- 09:31:42 - <Info> - Using interface 'eth1' via socket 9
30/9/2014 -- 09:31:42 - <Info> - All AFP capture threads are running.
30/9/2014 -- 09:31:42 - <Info> - Thread RxAFP2 using socket 9
30/9/2014 -- 09:31:42 - <Info> - Starting to read on RxAFP2
30/9/2014 -- 09:31:42 - <Info> - Starting to read on RxAFP1

why http.log is empty?
help pls!

Files

suricata.yaml (47.2 KB) suricata.yaml Mike Zhong, 09/30/2014 04:41 AM
Actions

Also available in: Atom PDF