Ruleset-stats shows 0 after reload-tenants

1

I am using Suricata version 7.0.2 with multi-tenant enabled and runmode ‘autofp’.

ruleset-stats shows correct stats initially. After reload-tenants is issued (which is sucessful), reload-stats shows 0

ruleset-stats
Success:
[
{
“id”: 0,
“rules_failed”: 0,
“rules_loaded”: 0
},
{
“id”: 2,
“rules_failed”: 0,
“rules_loaded”: 16751
},
{
“id”: 1,
“rules_failed”: 0,
“rules_loaded”: 16751
},
{
“id”: 3,
“rules_failed”: 0,
“rules_loaded”: 5171
}
]

reload-tenants
Success:
“reloading tenants succeeded”
ruleset-stats
Success:
[
{
“id”: 0,
“rules_failed”: 0,
“rules_loaded”: 0
}
]

2

How do you run Suricata?

Post stats.log, suricata.log and also the suricata.yaml config.

3

We call the process ‘idps_ni’ and is started as: ./idps_ni -I 301 -s ./config_schema.xml

%YAML 1.1

vars:
address-groups:
HOME_NET: “[100.1.1.0/28,100.1.1.2/32,100.1.2.0/28,100.1.2.16/28,100.1.3.0/28,100.1.3.16/28,100.1.4.0/28,100.1.4.16/28,100.1.11.0/28,100.1.11.16/28,100.1.12.0/28,100.1.12.16/28,100.1.13.0/28,100.1.13.16/28,100.1.14.0/28,100.1.14.16/28,100.1.254.0/28,192.168.1.0/24,104.1.1.0/28,104.1.2.0/28,104.1.2.16/28,104.1.3.0/28,104.1.3.16/28,104.1.4.0/28,104.1.4.16/28,104.1.11.0/28,104.1.11.16/28,104.1.12.0/28,104.1.12.16/28,104.1.13.0/28,104.1.13.16/28,104.1.14.0/28,104.1.14.16/28,104.1.254.0/28]”
EXTERNAL_NET: “!$HOME_NET”
HTTP_SERVERS: “$HOME_NET”
SMTP_SERVERS: “$HOME_NET”
SQL_SERVERS: “$HOME_NET”
DNS_SERVERS: “$HOME_NET”
TELNET_SERVERS: “$HOME_NET”
AIM_SERVERS: “$HOME_NET”
DC_SERVERS: “$HOME_NET”
DNP3_SERVERS: “$HOME_NET”
MODBUS_SERVERS: “$HOME_NET”
ENIP_SERVERS: “$HOME_NET”
DNP3_CLIENT: “$HOME_NET”
MODBUS_CLIENT: “$HOME_NET”
ENIP_CLIENT: “$HOME_NET”
port-groups:
HTTP_PORTS: “[80,443]”
SSH_PORTS: “22”
SHELLCODE_PORTS: “!80”
ORACLE_PORTS: “1521”
DNP3_PORTS: “20000”
MODBUS_PORTS: “502”
FILE_DATA_PORTS: “[$HTTP_PORTS,110,143]”
GENEVE_PORTS: “6081”
VXLAN_PORTS: “4789”
TEREDO_PORTS: “3544”
FTP_PORTS: “21”

exception-policy: pass-flow

stream:
midstream: true
drop-invalid: no
midstream-policy: auto

default-log-dir: /var/aryaka/nexus/idps_ni/

logging:
default-log-level: info
default-log-format: "[%i] %t - (%f:%n:%l) <%d> – "
outputs:

  • console:
    enabled: false
  • file:
    enabled: true
    level: config
    filename: idps_engine.log
    format: "[%i] %t - (%f:%n:%l) <%d> – "

stats:
enabled: true
interval: 3600

outputs:

  • stats-json:
    enabled: true
    filename: stats_301.json

  • stats:
    enabled: false
    filename: stats_301.log
    totals: true
    threads: true
    decoder-events: true
    tcp: true
    http: true
    tls: true
    smtp: true
    ssh: true
    flow: false
    dns: true

  • eve-log:
    enabled: true
    log-level: notice
    filetype: regular
    filename: idps_events_301.json
    types:

    • alert:
      enabled: true
      tagged-packets: true
      payload: false
      payload-printable: false
      http-body: false
      metadata:
      app-layer: true
      flow: false
    • anomaly:
      enabled: false
      types:
      decode: false
      stream: false
      applayer: false
      packethdr: false
    • http:
      enabled: true
      extended: false
      body: false
      header: false
    • dns:
      enabled: false
      query: true
      answer: true
      transaction: true
    • tls:
      enabled: false
      certs: true
      subject: true
      issuer: true
    • files:
      enabled: false
      force-magic: true
    • smtp:
      enabled: false
      commands: true
      helo: true
      rcpt: true
    • flow:
      enabled: false
      extended: true
    • ssh:
      enabled: false
      handshake: true
    • netflow:
      enabled: false

  • eve-log:
    enabled: false
    filetype: regular
    filename: idps_stats_301.json
    types:
    - stats

  • syslog:
    enabled: false
    facility: local0
    level: notice

  • http-log:
    enabled: false

  • tls-log:
    enabled: false

  • tls-store:
    enabled: false

app-layer:
protocols:
krb5:
enabled: true
mqtt:
enabled: false
rfb:
enabled: true
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
snmp:
enabled: true
ikev2:
enabled: true
tls:
enabled: true
encryption-handling: bypass
detection-ports:
dp: 443
dcerpc:
enabled: true
ftp:
enabled: true
rdp:
enabled: true
ssh:
enabled: true
smtp:
enabled: true
imap:
enabled: detection-only
smb:
enabled: true
detection-ports:
dp: 139, 445
nfs:
enabled: true
tftp:
enabled: true
dns:
enabled: true
tcp:
enabled: true
detection-ports:
dp: 53
udp:
enabled: true
detection-ports:
dp: 53
http:
enabled: true
http2:
enabled: true
modbus:
enabled: false
detection-ports:
dp: 502
dnp3:
enabled: false
detection-ports:
enabled: 20000
enip:
enabled: false
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: true
dhcp:
enabled: true
sip:
enabled: true
flow:
enabled: false
detection: none

coredump:
max-dump: unlimited

runmode: autofp

auto-scheduler: hash

asn1-max-frames: 256

host-mode: auto

max-pending-packets: 4096

default-packet-size: 2048

unix-command:
enabled: yes
filename: /var/aryaka/nexus/idps_ni/custom.socket

multi-detect:
enabled: yes
selector: vlan
loaders: 3
tenants:

  • id: 1
    yaml: /var/aryaka/nexus/idps_ni/config/idps_engine_lan.yaml
  • id: 2
    yaml: /var/aryaka/nexus/idps_ni/config/idps_engine_wan.yaml
  • id: 3
    yaml: /var/aryaka/nexus/idps_ni/config/idps_engine_adv.yaml
    mappings:
    • vlan-id: 1000
      tenant-id: 1
    • vlan-id: 1001
      tenant-id: 2
    • vlan-id: 1002
      tenant-id: 3

detect:
profile: high

classification-file: /var/aryaka/nexus/idps_ni/rules/classification.config
reference-config-file: /var/aryaka/nexus/idps_ni/rules/reference.config
threshold-file: /var/aryaka/nexus/idps_ni/rules/threshold.config

Suricata.log (we call it as idps_engine.log)

[9010] 1/3/2024 – 00:57:43 ----- timestamp when reload-tenants was issued from suricatasc.

[9008] 1/3/2024 – 00:53:04 - (suricata.c:LogVersion:1178) – This is Suricata version 7.0.2 RELEASE running in SYSTEM mode
[9008] 1/3/2024 – 00:53:04 - (util-cpu.c:UtilCpuPrintSummary:182) – CPUs/cores online: 8
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:ExceptionPolicyMasterParse:200) – master exception-policy set to: pass-flow
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:ExceptionPolicyGetDefault:220) – app-layer.error-policy: pass-flow (defined via ‘exception-policy’ master switch)
[9008] 1/3/2024 – 00:53:04 - (app-layer-htp.c:HTPConfigSetDefaultsPhase2:2567) – ‘default’ server has ‘request-body-minimal-inspect-size’ set to 31301 and ‘request-body-inspect-window’ set to 4098 after randomization.
[9008] 1/3/2024 – 00:53:04 - (app-layer-htp.c:HTPConfigSetDefaultsPhase2:2580) – ‘default’ server has ‘response-body-minimal-inspect-size’ set to 32601 and ‘response-body-inspect-window’ set to 4201 after randomization.
[9008] 1/3/2024 – 00:53:04 - (app-layer-enip.c:RegisterENIPUDPParsers:539) – Protocol detection and parser disabled for enip protocol.
[9008] 1/3/2024 – 00:53:04 - (app-layer-dnp3.c:RegisterDNP3Parsers:1565) – Protocol detection and parser disabled for DNP3.
[9008] 1/3/2024 – 00:53:04 - (host.c:HostInitConfig:259) – allocated 262144 bytes of memory for the host hash… 4096 buckets of size 64
[9008] 1/3/2024 – 00:53:04 - (host.c:HostInitConfig:283) – preallocated 1000 hosts of size 136
[9008] 1/3/2024 – 00:53:04 - (host.c:HostInitConfig:285) – host memory usage: 398144 bytes, maximum: 16777216
[9008] 1/3/2024 – 00:53:04 - (util-coredump-config.c:CoredumpLoadConfig:148) – Core dump size is unlimited.
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:PickPacketAction:126) – flow actions not supported for defrag.memcap-policy, defaulting to “pass-packet”
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:ExceptionPolicyGetDefault:220) – defrag.memcap-policy: pass-packet (defined via ‘exception-policy’ master switch)
[9008] 1/3/2024 – 00:53:04 - (defrag-hash.c:DefragInitConfig:254) – allocated 229376 bytes of memory for the defrag hash… 4096 buckets of size 56
[9008] 1/3/2024 – 00:53:04 - (defrag-hash.c:DefragInitConfig:288) – defrag memory usage: 229376 bytes, maximum: 16777216
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:PickPacketAction:126) – flow actions not supported for flow.memcap-policy, defaulting to “pass-packet”
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:ExceptionPolicyGetDefault:220) – flow.memcap-policy: pass-packet (defined via ‘exception-policy’ master switch)
[9008] 1/3/2024 – 00:53:04 - (flow.c:FlowInitConfig:675) – flow size 296, memcap allows for 0 flows. Per hash row in perfect conditions 0
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:410) – stream “prealloc-sessions”: 2048 (per thread)
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:429) – stream “memcap”: 67108864
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:437) – stream “midstream” session pickups: enabled
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:445) – stream “async-oneside”: disabled
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:462) – stream “checksum-validation”: enabled
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:ExceptionPolicyGetDefault:220) – stream.memcap-policy: pass-flow (defined via ‘exception-policy’ master switch)
[9008] 1/3/2024 – 00:53:04 - (util-exception-policy.c:ExceptionPolicyGetDefault:220) – stream.reassembly.memcap-policy: pass-flow (defined via ‘exception-policy’ master switch)
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:494) – stream.“inline”: enabled
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:507) – stream “bypass”: disabled
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:529) – stream “max-syn-queued”: 10
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:542) – stream “max-synack-queued”: 5
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:564) – stream.reassembly “memcap”: 268435456
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:586) – stream.reassembly “depth”: 1048576
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:659) – stream.reassembly “toserver-chunk-size”: 2490
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:661) – stream.reassembly “toclient-chunk-size”: 2532
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:673) – stream.reassembly.raw: enabled
[9008] 1/3/2024 – 00:53:04 - (stream-tcp.c:StreamTcpInitConfig:682) – stream.liberal-timestamps: disabled
[9008] 1/3/2024 – 00:53:04 - (stream-tcp-reassemble.c:StreamTcpReassemblyConfig:491) – stream.reassembly “segment-prealloc”: 2048
[9008] 1/3/2024 – 00:53:04 - (stream-tcp-reassemble.c:StreamTcpReassemblyConfig:514) – stream.reassembly “max-regions”: 8
[9008] 1/3/2024 – 00:53:04 - (util-logopenfile.c:SCConfLogOpenGeneric:659) – stats-json output device (regular) initialized: stats_301.json
[9008] 1/3/2024 – 00:53:04 - (util-logopenfile.c:SCConfLogOpenGeneric:659) – eve-log output device (regular) initialized: idps_events_301.json
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘alert’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘anomaly’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘http’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:767) – No output module named eve-log.http
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘dns’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘tls’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘files’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘smtp’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘flow’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘ssh’
[9008] 1/3/2024 – 00:53:04 - (runmodes.c:RunModeInitializeEveOutput:726) – enabling ‘eve-log’ module ‘netflow’
[9008] 1/3/2024 – 00:53:04 - (suricata.c:SetupDelayedDetect:2502) – Delayed detect disabled
[9008] 1/3/2024 – 00:53:04 - (detect-engine-loader.c:DetectLoadersInit:473) – using 3 detect loader threads
[9008] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineMultiTenantSetup:4247) – multi-tenant selector type vlan
[9008] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineMultiTenantSetup:4279) – multi-detect is enabled (multi tenancy). Selector: vlan
[9008] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineMultiTenantSetupLoadVlanMappings:4205) – vlan 1000 connected to tenant-id 1
[9008] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineMultiTenantSetupLoadVlanMappings:4205) – vlan 1001 connected to tenant-id 2
[9008] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineMultiTenantSetupLoadVlanMappings:4205) – vlan 1002 connected to tenant-id 3
[9010] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxInitReal:2502) – pattern matchers: MPM: hs, SPM: hs
[9011] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxInitReal:2502) – pattern matchers: MPM: hs, SPM: hs
[9010] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2914) – grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[9011] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2914) – grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[9010] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2940) – grouping: udp-whitelist (default) 53, 135, 5060
[9011] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2940) – grouping: udp-whitelist (default) 53, 135, 5060
[9010] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2970) – prefilter engines: MPM
[9011] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2970) – prefilter engines: MPM
[9012] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxInitReal:2502) – pattern matchers: MPM: hs, SPM: hs
[9012] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2914) – grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[9012] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2940) – grouping: udp-whitelist (default) 53, 135, 5060
[9012] 1/3/2024 – 00:53:04 - (detect-engine.c:DetectEngineCtxLoadConf:2970) – prefilter engines: MPM
[9011] 1/3/2024 – 00:53:04 - (reputation.c:SRepInit:612) – IP reputation disabled
[9010] 1/3/2024 – 00:53:04 - (reputation.c:SRepInit:612) – IP reputation disabled
[9012] 1/3/2024 – 00:53:04 - (reputation.c:SRepInit:612) – IP reputation disabled
[9011] 1/3/2024 – 00:53:04 - (detect-engine-loader.c:ProcessSigFiles:248) – Loading rule file: /var/aryaka/nexus/idps_ni/rules/wan/wan_rules.rules
[9010] 1/3/2024 – 00:53:04 - (detect-engine-loader.c:ProcessSigFiles:248) – Loading rule file: /var/aryaka/nexus/idps_ni/rules/lan/lan_rules.rules
[9012] 1/3/2024 – 00:53:04 - (detect-engine-loader.c:ProcessSigFiles:248) – Loading rule file: /var/aryaka/nexus/idps_ni/rules/adv/adv_rules.rules
[9012] 1/3/2024 – 00:53:11 - (detect-engine-loader.c:SigLoadSignatures:351) – 1 rule files processed. 5171 rules successfully loaded, 0 rules failed
[9012] 1/3/2024 – 00:53:11 - (util-threshold-config.c:SCThresholdConfParseFile:1045) – Threshold config parsed: 0 rule(s) found
[9012] 1/3/2024 – 00:53:11 - (detect-engine-build.c:SigAddressPrepareStage1:1503) – 5171 signatures processed. 0 are IP-only rules, 126 are inspecting packet payload, 5045 inspect application layer, 0 are decoder event only
[9012] 1/3/2024 – 00:53:11 - (detect-engine-build.c:SigAddressPrepareStage1:1506) – building signature grouping structure, stage 1: preprocessing rules… complete
[9010] 1/3/2024 – 00:53:19 - (detect-engine-loader.c:SigLoadSignatures:351) – 1 rule files processed. 16751 rules successfully loaded, 0 rules failed
[9010] 1/3/2024 – 00:53:19 - (util-threshold-config.c:SCThresholdConfParseFile:1045) – Threshold config parsed: 0 rule(s) found
[9011] 1/3/2024 – 00:53:19 - (detect-engine-loader.c:SigLoadSignatures:351) – 1 rule files processed. 16751 rules successfully loaded, 0 rules failed
[9011] 1/3/2024 – 00:53:19 - (util-threshold-config.c:SCThresholdConfParseFile:1045) – Threshold config parsed: 0 rule(s) found
[9010] 1/3/2024 – 00:53:19 - (detect-engine-build.c:SigAddressPrepareStage1:1503) – 16751 signatures processed. 0 are IP-only rules, 1409 are inspecting packet payload, 15329 inspect application layer, 0 are decoder event only
[9010] 1/3/2024 – 00:53:19 - (detect-engine-build.c:SigAddressPrepareStage1:1506) – building signature grouping structure, stage 1: preprocessing rules… complete
[9011] 1/3/2024 – 00:53:19 - (detect-engine-build.c:SigAddressPrepareStage1:1503) – 16751 signatures processed. 0 are IP-only rules, 1409 are inspecting packet payload, 15329 inspect application layer, 0 are decoder event only
[9011] 1/3/2024 – 00:53:19 - (detect-engine-build.c:SigAddressPrepareStage1:1506) – building signature grouping structure, stage 1: preprocessing rules… complete
[9008] 1/3/2024 – 00:53:31 - (tmqh-flow.c:TmqhFlowPrintAutofpHandler:92) – AutoFP mode using “Hash” flow load balancer
[9008] 1/3/2024 – 00:53:31 - (flow-manager.c:FlowManagerThreadSpawn:948) – using 1 flow manager threads
[9008] 1/3/2024 – 00:53:31 - (flow-manager.c:FlowRecyclerThreadSpawn:1154) – using 1 flow recycler threads
[9008] 1/3/2024 – 00:53:31 - (unix-manager.c:UnixNew:136) – unix socket ‘/var/aryaka/nexus/idps_ni/custom.socket’
[9008] 1/3/2024 – 00:53:31 - (tm-threads.c:TmThreadWaitOnThreadRunning:1893) – Threads created → RX: 8 W: 8 TX: 3 FM: 1 FR: 1 Engine started.
[9010] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxInitReal:2502) – pattern matchers: MPM: hs, SPM: hs
[9010] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2914) – grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[9010] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2940) – grouping: udp-whitelist (default) 53, 135, 5060
[9010] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2970) – prefilter engines: MPM
[9012] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxInitReal:2502) – pattern matchers: MPM: hs, SPM: hs
[9011] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxInitReal:2502) – pattern matchers: MPM: hs, SPM: hs
[9012] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2914) – grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[9011] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2914) – grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[9012] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2940) – grouping: udp-whitelist (default) 53, 135, 5060
[9011] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2940) – grouping: udp-whitelist (default) 53, 135, 5060
[9012] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2970) – prefilter engines: MPM
[9011] 1/3/2024 – 00:57:43 - (detect-engine.c:DetectEngineCtxLoadConf:2970) – prefilter engines: MPM
[9010] 1/3/2024 – 00:57:43 - (reputation.c:SRepInit:612) – IP reputation disabled
[9010] 1/3/2024 – 00:57:43 - (detect-engine-loader.c:ProcessSigFiles:248) – Loading rule file: /var/aryaka/nexus/idps_ni/rules/lan/lan_rules.rules
[9012] 1/3/2024 – 00:57:43 - (reputation.c:SRepInit:612) – IP reputation disabled
[9011] 1/3/2024 – 00:57:43 - (reputation.c:SRepInit:612) – IP reputation disabled
[9012] 1/3/2024 – 00:57:43 - (detect-engine-loader.c:ProcessSigFiles:248) – Loading rule file: /var/aryaka/nexus/idps_ni/rules/adv/adv_rules.rules
[9011] 1/3/2024 – 00:57:43 - (detect-engine-loader.c:ProcessSigFiles:248) – Loading rule file: /var/aryaka/nexus/idps_ni/rules/wan/wan_rules.rules
[9012] 1/3/2024 – 00:57:50 - (detect-engine-loader.c:SigLoadSignatures:351) – 1 rule files processed. 5171 rules successfully loaded, 0 rules failed
[9012] 1/3/2024 – 00:57:50 - (util-threshold-config.c:SCThresholdConfParseFile:1045) – Threshold config parsed: 0 rule(s) found
[9012] 1/3/2024 – 00:57:50 - (detect-engine-build.c:SigAddressPrepareStage1:1503) – 5171 signatures processed. 0 are IP-only rules, 126 are inspecting packet payload, 5045 inspect application layer, 0 are decoder event only
[9012] 1/3/2024 – 00:57:50 - (detect-engine-build.c:SigAddressPrepareStage1:1506) – building signature grouping structure, stage 1: preprocessing rules… complete
[9010] 1/3/2024 – 00:57:55 - (detect-engine-loader.c:SigLoadSignatures:351) – 1 rule files processed. 16751 rules successfully loaded, 0 rules failed
[9010] 1/3/2024 – 00:57:55 - (util-threshold-config.c:SCThresholdConfParseFile:1045) – Threshold config parsed: 0 rule(s) found
[9011] 1/3/2024 – 00:57:55 - (detect-engine-loader.c:SigLoadSignatures:351) – 1 rule files processed. 16751 rules successfully loaded, 0 rules failed
[9011] 1/3/2024 – 00:57:55 - (util-threshold-config.c:SCThresholdConfParseFile:1045) – Threshold config parsed: 0 rule(s) found
[9010] 1/3/2024 – 00:57:55 - (detect-engine-build.c:SigAddressPrepareStage1:1503) – 16751 signatures processed. 0 are IP-only rules, 1409 are inspecting packet payload, 15329 inspect application layer, 0 are decoder event only
[9010] 1/3/2024 – 00:57:55 - (detect-engine-build.c:SigAddressPrepareStage1:1506) – building signature grouping structure, stage 1: preprocessing rules… complete
[9011] 1/3/2024 – 00:57:55 - (detect-engine-build.c:SigAddressPrepareStage1:1503) – 16751 signatures processed. 0 are IP-only rules, 1409 are inspecting packet payload, 15329 inspect application layer, 0 are decoder event only
[9011] 1/3/2024 – 00:57:55 - (detect-engine-build.c:SigAddressPrepareStage1:1506) – building signature grouping structure, stage 1: preprocessing rules… complete
[9579] 1/3/2024 – 00:57:56 - (runmode-unix-socket.c:UnixSocketReloadTenants:1156) – reload-tenants complete

4

Please provide the stats.log as well