Support #1291
Updated by Victor Julien about 10 years ago
i used default suricata.yaml and change set af-packet: - interface: eth1 stream: memcap: 32mb checksum-validation: no start suricata /usr/local/bin/suricata --user suricata -c /etc/suricata/suricata.yaml -k none --af-packet=eth1 -v -D but http.log is empty <pre> Features for eth1: rx-checksumming: off tx-checksumming: off tx-checksum-ipv4: off [fixed] tx-checksum-unneeded: off [fixed] tx-checksum-ip-generic: off tx-checksum-ipv6: off [fixed] tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed] scatter-gather: off tx-scatter-gather: off tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: off tx-tcp-segmentation: off tx-tcp-ecn-segmentation: off [fixed] tx-tcp6-segmentation: off udp-fragmentation-offload: off [fixed] generic-segmentation-offload: off generic-receive-offload: off large-receive-offload: off rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off [fixed] receive-hashing: off [fixed] highdma: on rx-vlan-filter: on [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: on loopback: off [fixed] </pre> stat.log <pre> Date: 9/30/2014 -- 09:30:10 (uptime: 0d, 00h 05m 41s) ------------------------------------------------------------------- Counter | TM Name | Value ------------------------------------------------------------------- capture.kernel_packets | RxAFP1 | 507908 capture.kernel_drops | RxAFP1 | 0 dns.memuse | RxAFP1 | 28273 dns.memcap_state | RxAFP1 | 0 dns.memcap_global | RxAFP1 | 0 decoder.pkts | RxAFP1 | 507904 decoder.bytes | RxAFP1 | 155521861 decoder.invalid | RxAFP1 | 0 decoder.ipv4 | RxAFP1 | 507655 decoder.ipv6 | RxAFP1 | 0 decoder.ethernet | RxAFP1 | 507904 decoder.raw | RxAFP1 | 0 decoder.sll | RxAFP1 | 0 decoder.tcp | RxAFP1 | 423313 decoder.udp | RxAFP1 | 79878 decoder.sctp | RxAFP1 | 0 decoder.icmpv4 | RxAFP1 | 4464 decoder.icmpv6 | RxAFP1 | 0 decoder.ppp | RxAFP1 | 0 decoder.pppoe | RxAFP1 | 0 decoder.gre | RxAFP1 | 0 decoder.vlan | RxAFP1 | 0 decoder.vlan_qinq | RxAFP1 | 0 decoder.teredo | RxAFP1 | 0 decoder.ipv4_in_ipv6 | RxAFP1 | 0 decoder.ipv6_in_ipv6 | RxAFP1 | 0 decoder.avg_pkt_size | RxAFP1 | 306 decoder.max_pkt_size | RxAFP1 | 1514 defrag.ipv4.fragments | RxAFP1 | 0 defrag.ipv4.reassembled | RxAFP1 | 0 defrag.ipv4.timeouts | RxAFP1 | 0 defrag.ipv6.fragments | RxAFP1 | 0 defrag.ipv6.reassembled | RxAFP1 | 0 defrag.ipv6.timeouts | RxAFP1 | 0 defrag.max_frag_hits | RxAFP1 | 0 capture.kernel_packets | RxAFP2 | 412127 capture.kernel_drops | RxAFP2 | 0 dns.memuse | RxAFP2 | 27860 dns.memcap_state | RxAFP2 | 0 dns.memcap_global | RxAFP2 | 0 decoder.pkts | RxAFP2 | 412126 decoder.bytes | RxAFP2 | 109512422 decoder.invalid | RxAFP2 | 0 decoder.ipv4 | RxAFP2 | 412126 decoder.ipv6 | RxAFP2 | 2 decoder.ethernet | RxAFP2 | 412126 decoder.raw | RxAFP2 | 0 decoder.sll | RxAFP2 | 0 decoder.tcp | RxAFP2 | 283517 decoder.udp | RxAFP2 | 120425 decoder.sctp | RxAFP2 | 0 decoder.icmpv4 | RxAFP2 | 7745 decoder.icmpv6 | RxAFP2 | 0 decoder.ppp | RxAFP2 | 0 decoder.pppoe | RxAFP2 | 0 decoder.gre | RxAFP2 | 0 decoder.vlan | RxAFP2 | 0 decoder.vlan_qinq | RxAFP2 | 0 decoder.teredo | RxAFP2 | 2 decoder.ipv4_in_ipv6 | RxAFP2 | 0 decoder.ipv6_in_ipv6 | RxAFP2 | 0 decoder.avg_pkt_size | RxAFP2 | 265 decoder.max_pkt_size | RxAFP2 | 1514 defrag.ipv4.fragments | RxAFP2 | 0 defrag.ipv4.reassembled | RxAFP2 | 0 defrag.ipv4.timeouts | RxAFP2 | 0 defrag.ipv6.fragments | RxAFP2 | 0 defrag.ipv6.reassembled | RxAFP2 | 0 defrag.ipv6.timeouts | RxAFP2 | 0 defrag.max_frag_hits | RxAFP2 | 0 tcp.sessions | Detect | 20259 tcp.ssn_memcap_drop | Detect | 0 tcp.pseudo | Detect | 0 tcp.invalid_checksum | Detect | 0 tcp.no_flow | Detect | 0 tcp.reused_ssn | Detect | 0 tcp.memuse | Detect | 2874240 tcp.syn | Detect | 37616 tcp.synack | Detect | 2675 tcp.rst | Detect | 8360 dns.memuse | Detect | 0 dns.memcap_state | Detect | 0 dns.memcap_global | Detect | 0 tcp.segment_memcap_drop | Detect | 0 tcp.stream_depth_reached | Detect | 0 tcp.reassembly_memuse | Detect | 0 tcp.reassembly_gap | Detect | 0 http.memuse | Detect | 0 http.memcap | Detect | 0 detect.alert | Detect | 40 flow_mgr.closed_pruned | FlowManagerThread | 3888 flow_mgr.new_pruned | FlowManagerThread | 23623 flow_mgr.est_pruned | FlowManagerThread | 0 flow.memuse | FlowManagerThread | 9369736 flow.spare | FlowManagerThread | 10073 flow.emerg_mode_entered | FlowManagerThread | 0 flow.emerg_mode_over | FlowManagerThread | 0 </pre> <pre> cat /usr/local/var/log/suricatasuricata.log 30/9/2014 -- 09:31:33 - <Notice> - This is Suricata version 2.0.4 RELEASE 30/9/2014 -- 09:31:33 - <Info> - CPUs/cores online: 2 30/9/2014 -- 09:31:33 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization. 30/9/2014 -- 09:31:33 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization. 30/9/2014 -- 09:31:33 - <Info> - HTTP memcap: 67108864 30/9/2014 -- 09:31:33 - <Info> - DNS request flood protection level: 500 30/9/2014 -- 09:31:33 - <Info> - DNS per flow memcap (state-memcap): 524288 30/9/2014 -- 09:31:33 - <Info> - DNS global memcap: 16777216 30/9/2014 -- 09:31:33 - <Info> - Found an MTU of 1500 for 'eth1' 30/9/2014 -- 09:31:33 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 30/9/2014 -- 09:31:33 - <Info> - preallocated 65535 defrag trackers of size 168 30/9/2014 -- 09:31:33 - <Info> - defrag memory usage: 14679896 bytes, maximum: 33554432 30/9/2014 -- 09:31:33 - <Info> - AutoFP mode using default "Active Packets" flow load balancer 30/9/2014 -- 09:31:33 - <Info> - preallocated 1024 packets. Total memory 3567616 30/9/2014 -- 09:31:33 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 30/9/2014 -- 09:31:33 - <Info> - preallocated 1000 hosts of size 112 30/9/2014 -- 09:31:33 - <Info> - host memory usage: 390144 bytes, maximum: 16777216 30/9/2014 -- 09:31:33 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64 30/9/2014 -- 09:31:33 - <Info> - preallocated 10000 flows of size 280 30/9/2014 -- 09:31:33 - <Info> - flow memory usage: 7074304 bytes, maximum: 67108864 30/9/2014 -- 09:31:33 - <Info> - IP reputation disabled 30/9/2014 -- 09:31:33 - <Info> - using magic-file /usr/share/file/magic 30/9/2014 -- 09:31:33 - <Info> - Delayed detect disabled 30/9/2014 -- 09:31:38 - <Info> - 2 rule files processed. 15155 rules successfully loaded, 0 rules failed 30/9/2014 -- 09:31:38 - <Info> - 15163 signatures processed. 885 are IP-only rules, 5155 are inspecting packet payload, 11649 inspect application layer, 0 are decoder event only 30/9/2014 -- 09:31:38 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete 30/9/2014 -- 09:31:39 - <Info> - building signature grouping structure, stage 2: building source address list... complete 30/9/2014 -- 09:31:41 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete 30/9/2014 -- 09:31:42 - <Info> - Threshold config parsed: 0 rule(s) found 30/9/2014 -- 09:31:42 - <Info> - Core dump size set to unlimited. 30/9/2014 -- 09:31:42 - <Info> - dropped the caps for main thread 30/9/2014 -- 09:31:42 - <Info> - fast output device (regular) initialized: fast.log 30/9/2014 -- 09:31:42 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support. 30/9/2014 -- 09:31:42 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB 30/9/2014 -- 09:31:42 - <Info> - http-log output device (regular) initialized: http.log 30/9/2014 -- 09:31:42 - <Info> - Enabling mmaped capture on iface eth1 30/9/2014 -- 09:31:42 - <Info> - Using flow cluster mode for AF_PACKET (iface eth1) 30/9/2014 -- 09:31:42 - <Info> - Using defrag kernel functionality for AF_PACKET (iface eth1) 30/9/2014 -- 09:31:42 - <Info> - Going to use 2 ReceiveAFP receive thread(s) 30/9/2014 -- 09:31:42 - <Info> - Enabling zero copy mode by using data release call 30/9/2014 -- 09:31:42 - <Info> - Enabling zero copy mode by using data release call 30/9/2014 -- 09:31:42 - <Info> - RunModeIdsAFPAutoFp initialised 30/9/2014 -- 09:31:42 - <Info> - stream "prealloc-sessions": 2048 (per thread) 30/9/2014 -- 09:31:42 - <Info> - stream "memcap": 33554432 30/9/2014 -- 09:31:42 - <Info> - stream "midstream" session pickups: disabled 30/9/2014 -- 09:31:42 - <Info> - stream "async-oneside": disabled 30/9/2014 -- 09:31:42 - <Info> - stream "checksum-validation": disabled 30/9/2014 -- 09:31:42 - <Info> - stream."inline": disabled 30/9/2014 -- 09:31:42 - <Info> - stream "max-synack-queued": 5 30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "memcap": 134217728 30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "depth": 1048576 30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "toserver-chunk-size": 2513 30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "toclient-chunk-size": 2529 30/9/2014 -- 09:31:42 - <Info> - stream.reassembly.raw: enabled 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 4, prealloc 256 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 16, prealloc 512 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 112, prealloc 512 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 248, prealloc 512 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 512, prealloc 512 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 768, prealloc 1024 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 1448, prealloc 1024 30/9/2014 -- 09:31:42 - <Info> - segment pool: pktsize 65535, prealloc 128 30/9/2014 -- 09:31:42 - <Info> - stream.reassembly "chunk-prealloc": 250 30/9/2014 -- 09:31:42 - <Notice> - all 5 packet processing threads, 3 management threads initialized, engine started. 30/9/2014 -- 09:31:42 - <Info> - Generic Receive Offload is unset on eth1 30/9/2014 -- 09:31:42 - <Info> - Large Receive Offload is unset on eth1 30/9/2014 -- 09:31:42 - <Info> - AF_PACKET RX Ring params: block_size=32768 block_nr=52 frame_size=1584 frame_nr=1040 30/9/2014 -- 09:31:42 - <Info> - Using interface 'eth1' via socket 8 30/9/2014 -- 09:31:42 - <Info> - Thread RxAFP1 using socket 8 30/9/2014 -- 09:31:42 - <Info> - Generic Receive Offload is unset on eth1 30/9/2014 -- 09:31:42 - <Info> - Large Receive Offload is unset on eth1 30/9/2014 -- 09:31:42 - <Info> - AF_PACKET RX Ring params: block_size=32768 block_nr=52 frame_size=1584 frame_nr=1040 30/9/2014 -- 09:31:42 - <Info> - Using interface 'eth1' via socket 9 30/9/2014 -- 09:31:42 - <Info> - All AFP capture threads are running. 30/9/2014 -- 09:31:42 - <Info> - Thread RxAFP2 using socket 9 30/9/2014 -- 09:31:42 - <Info> - Starting to read on RxAFP2 30/9/2014 -- 09:31:42 - <Info> - Starting to read on RxAFP1 </pre> why http.log is empty? help pls!