Bug #7184
openfailed to parse addresses
Description
In Surica version 7.0.0, the rules regarding IP cannot be correctly resolved.
[31453] 30/7/2024 -- 15:01:56 - (suricata.c:1142) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (5280e0c 2023-12-12) running in USER mode [31453] 30/7/2024 -- 15:01:56 - (util-cpu.c:178) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 32 [31453] 30/7/2024 -- 15:01:56 - (app-layer-htp.c:2520) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 33090 and 'request-body-inspect-window' set to 4032 after randomization. [31453] 30/7/2024 -- 15:01:56 - (app-layer-htp.c:2533) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 42734 and 'response-body-inspect-window' set to 16980 after randomization. [31453] 30/7/2024 -- 15:01:56 - (app-layer-enip.c:480) <Config> (RegisterENIPUDPParsers) -- Protocol detection and parser disabled for enip protocol. [31453] 30/7/2024 -- 15:01:56 - (app-layer-dnp3.c:1587) <Config> (RegisterDNP3Parsers) -- Protocol detection and parser disabled for DNP3. [31453] 30/7/2024 -- 15:01:56 - (suricata.c:2653) <Info> (PostConfLoadedSetup) -- == Carrying out Engine Analysis == [31453] 30/7/2024 -- 15:01:56 - (host.c:263) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [31453] 30/7/2024 -- 15:01:56 - (host.c:286) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136 [31453] 30/7/2024 -- 15:01:56 - (host.c:288) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432 [31453] 30/7/2024 -- 15:01:56 - (util-coredump-config.c:149) <Config> (CoredumpLoadConfig) -- Core dump size set to unlimited. [31453] 30/7/2024 -- 15:01:56 - (defrag-hash.c:254) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 [31453] 30/7/2024 -- 15:01:56 - (defrag-hash.c:279) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 160 [31453] 30/7/2024 -- 15:01:56 - (defrag-hash.c:286) <Config> (DefragInitConfig) -- defrag memory usage: 14155616 bytes, maximum: 33554432 [31453] 30/7/2024 -- 15:01:57 - (flow.c:645) <Config> (FlowInitConfig) -- flow size 320, memcap allows for 100663296 flows. Per hash row in perfect conditions 15 [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:391) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread) [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:410) <Config> (StreamTcpInitConfig) -- stream "memcap": 67108864 [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:418) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:424) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:441) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": enabled [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:469) <Config> (StreamTcpInitConfig) -- stream."inline": disabled [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:482) <Config> (StreamTcpInitConfig) -- stream "bypass": enabled [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:504) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5 [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:526) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 268435456 [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:544) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576 [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:619) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2622 [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:621) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2558 [31453] 30/7/2024 -- 15:01:57 - (stream-tcp.c:633) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled [31453] 30/7/2024 -- 15:01:57 - (stream-tcp-reassemble.c:400) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048 %5|1722322917.139|CONFWARN|rdkafka#producer-1| [thrd:app]: No `bootstrap.servers` configured: client will not be able to connect to Kafka cluster [31453] 30/7/2024 -- 15:01:57 - (runmodes.c:664) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert' [31453] 30/7/2024 -- 15:01:57 - (util-logopenfile.c:598) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log [31453] 30/7/2024 -- 15:01:57 - (suricata.c:2320) <Config> (SetupDelayedDetect) -- Delayed detect disabled [31453] 30/7/2024 -- 15:01:57 - (detect-engine.c:2338) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: hs, SPM: hs [31453] 30/7/2024 -- 15:01:57 - (detect-engine.c:2654) <Config> (DetectEngineCtxLoadConf) -- toclient-groups 65000 [31453] 30/7/2024 -- 15:01:57 - (detect-engine.c:2671) <Config> (DetectEngineCtxLoadConf) -- toserver-groups 65000 [31453] 30/7/2024 -- 15:01:57 - (detect-engine.c:2744) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [31453] 30/7/2024 -- 15:01:57 - (detect-engine.c:2768) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist (default) 53, 135, 5060 [31453] 30/7/2024 -- 15:01:57 - (detect-engine.c:2796) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_uri [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_uri [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_request_line [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_client_body [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_response_line [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_header_names [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_enc [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_accept_lang [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_referer [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_connection [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_len [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_content_type [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.server [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http.location [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_protocol [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_start [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_method [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_cookie [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file.magic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_user_agent [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_host [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_raw_host [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_msg [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http_stat_code [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header_name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for http2_header [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dns_query [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dnp3_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ike.init_spi [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ike.resp_spi [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ike.vendor [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ike.nonce_payload [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ike.nonce_payload [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ike.key_exchange_payload [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ike.key_exchange_payload [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.sni [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_issuer [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_subject [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_serial [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for tls.certs [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.hash [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3.string [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.hash [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ja3s.string [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for dce_stub_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_named_pipe [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for smb_share [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.proto [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh_software [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.string [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for ssh.hassh.server.string [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for file_data [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_cname [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for krb5_sname [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.uri [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.protocol [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.method [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.stat_msg [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.request_line [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for sip.response_line [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for rfb.name [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for snmp.community [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.clientid [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.username [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.password [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willtopic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.connect.willmessage [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.topic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.publish.message [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.subscribe.topic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for mqtt.unsubscribe.topic [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for quic_sni [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for quic_ua [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for quic_version [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for quic_version [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for quic.cyu.hash [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:252) <Perf> (DetectMpmInitializeAppMpms) -- using shared mpm ctx' for quic.cyu.string [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:653) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv4.hdr [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:653) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for tcp.hdr [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:653) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for udp.hdr [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:653) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for icmpv6.hdr [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:653) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv4.hdr [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:653) <Perf> (DetectMpmInitializePktMpms) -- using shared mpm ctx' for ipv6.hdr [31453] 30/7/2024 -- 15:01:57 - (reputation.c:609) <Config> (SRepInit) -- IP reputation disabled [31453] 30/7/2024 -- 15:01:57 - (detect-engine-analyzer.c:309) <Info> (SetupFPAnalyzer) -- Engine-Analysis for fast_pattern printed to file - ./rules_fast_pattern.txt [31453] 30/7/2024 -- 15:01:57 - (detect-engine-analyzer.c:357) <Info> (SetupRuleAnalyzer) -- Engine-Analysis for rules printed to file - ./rules_analysis.txt [31453] 30/7/2024 -- 15:01:57 - (detect-engine-loader.c:251) <Config> (ProcessSigFiles) -- Loading rule file: test.rules [31453] 30/7/2024 -- 15:01:57 - (detect-engine-iponly.c:880) <Error> (IPOnlySigParseAddress) -- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse addresses [31453] 30/7/2024 -- 15:01:57 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [192.9.135.73] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404300; rev:7265; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2024_07_26;)" from file test.rules at line 1 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-loader.c:340) <Config> (SigLoadSignatures) -- No rules loaded from test.rules [31453] 30/7/2024 -- 15:01:57 - (detect-engine-loader.c:347) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded! [31453] 30/7/2024 -- 15:01:57 - (util-threshold-config.c:254) <Warning> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/data/sec/new_nids/etc/suricata//threshold.config": No such file or directory [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:710) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:710) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:710) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:710) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1473) <Info> (SigAddressPrepareStage1) -- 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1476) <Config> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1316) <Perf> (RulesGroupByPorts) -- TCP toserver: 0 port groups, 0 unique SGH's, 0 copies [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1316) <Perf> (RulesGroupByPorts) -- TCP toclient: 0 port groups, 0 unique SGH's, 0 copies [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1316) <Perf> (RulesGroupByPorts) -- UDP toserver: 0 port groups, 0 unique SGH's, 0 copies [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1316) <Perf> (RulesGroupByPorts) -- UDP toclient: 0 port groups, 0 unique SGH's, 0 copies [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1064) <Perf> (RulesGroupByProto) -- OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1101) <Perf> (RulesGroupByProto) -- OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1840) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:1421) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:1421) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:1421) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:1421) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:1421) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:1421) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-mpm.c:1421) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 0 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-analyzer.c:417) <Info> (CleanupRuleAnalyzer) -- Engine-Analysis for rules printed to file - ./rules_analysis.txt [31453] 30/7/2024 -- 15:01:57 - (host.c:303) <Perf> (HostPrintStats) -- host memory usage: 398144 bytes, maximum: 33554432 [31453] 30/7/2024 -- 15:01:57 - (detect-engine-build.c:1775) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete [31453] 30/7/2024 -- 15:01:57 - (util-device.c:359) <Notice> (LiveDeviceListClean) -- Stats for '.': pkts: 0, drop: 0 (-nan%), invalid chksum: 0 [31453] 30/7/2024 -- 15:01:57 - (util-mpm-hs.c:1078) <Perf> (MpmHSGlobalCleanup) -- Cleaning up Hyperscan global scratch [31453] 30/7/2024 -- 15:01:57 - (util-mpm-hs.c:1086) <Perf> (MpmHSGlobalCleanup) -- Clearing Hyperscan database cache
Files
Updated by xc yang 3 months ago ยท Edited
This is Suricata version 7.0.0-dev (5280e0c 2023-12-12) Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LIBJANSSON TLS TLS_GNU MAGIC RUST SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrinsics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.40, linked against LibHTP v0.5.40 Suricata Configuration: AF_PACKET support: yes DPDK support: yes eBPF support: no XDP support: no PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libjansson support: yes hiredis support: no hiredis async with libevent: no PCRE jit: yes LUA support: yes libluajit: no GeoIP2 support: no Non-bundled htp: no Hyperscan support: yes Libnet support: no liblz4 support: yes Rust support: yes Rust strict mode: no Rust compiler path: /bin/rustc Rust compiler version: rustc 1.72.1 (d5c2e9c34 2023-09-13) (Red Hat 1.72.1-2.el7) Cargo path: /bin/cargo Cargo version: cargo 1.72.1 Python support: yes Python path: /bin/python3 Python distutils yes Python yaml no Install suricatactl: yes Install suricatasc: yes Install suricata-update: no, not bundled Profiling enabled: no Profiling locks enabled: no Plugin support (experimental): yes Development settings: Coccinelle / spatch: no Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Fuzz targets enabled: no Generic build parameters: Installation prefix: /data/sec/new_nids Configuration directory: /data/sec/new_nids/etc/suricata/ Log directory: /data/sec/new_nids/var/log/suricata/ --prefix /data/sec/new_nids --sysconfdir /data/sec/new_nids/etc --localstatedir /data/sec/new_nids/var --datarootdir /data/sec/new_nids/share Host: x86_64-unknown-linux-gnu Compiler: gcc (exec name) / g++ (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -fPIC -std=gnu99 -march=native -include rte_config.h -march=native -I/usr/local/include -I/usr//usr/include -I/usr/include/libnl3 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist PCAP_CFLAGS SECCFLAGS
Updated by Victor Julien 3 months ago
- Priority changed from High to Normal
I suppose the failing address is in the HOME_NET variable, can you share that?
In general, make sure to report against an up to date version. That would be 7.0.6.
Updated by xc yang 3 months ago
Victor Julien wrote in #note-3:
I suppose the failing address is in the HOME_NET variable, can you share that?
In general, make sure to report against an up to date version. That would be 7.0.6.
There are 1000 addresses in HONE.NET that involve company IP information, which I have hidden.
Updated by xc yang 3 months ago
Victor Julien wrote in #note-3:
I suppose the failing address is in the HOME_NET variable, can you share that?
In general, make sure to report against an up to date version. That would be 7.0.6.
Wow, you're really amazing. Indeed, when I switched to a configuration file with a smaller number of home_net, I was able to correctly resolve the address. Why is that?