I have built Suricata 5.0.3 for OpenWrt (based on main branch). It installs and runs, but I’m having some suricata-based errors I need help correcting (I’ve never used suricata before).
root@Shield:/etc# suricata -V
This is Suricata version 5.0.3 RELEASE
root@Shield:/etc# suricata --list-runmodes
------------------------------------- Runmodes ------------------------------------------
| RunMode Type | Custom Mode | Description
|----------------------------------------------------------------------------------------
| PCAP_DEV | single | Single threaded pcap live mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from th
| ---------------------------------------------------------------------
| | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| PCAP_FILE | single | Single threaded pcap file mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from th
|----------------------------------------------------------------------------------------
| PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same
| ---------------------------------------------------------------------
| | single | Single threaded pfring mode
| ---------------------------------------------------------------------
| | workers | Workers pfring mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| NFQ | autofp | Multi threaded NFQ IPS mode with respect to flow
| ---------------------------------------------------------------------
| | workers | Multi queue NFQ IPS mode with one thread per queue
|----------------------------------------------------------------------------------------
| NFLOG | autofp | Multi threaded nflog mode
| ---------------------------------------------------------------------
| | single | Single threaded nflog mode
| ---------------------------------------------------------------------
| | workers | Workers nflog mode
|----------------------------------------------------------------------------------------
| IPFW | autofp | Multi threaded IPFW IPS mode with respect to flow
| ---------------------------------------------------------------------
| | workers | Multi queue IPFW IPS mode with one thread per queue
|----------------------------------------------------------------------------------------
| ERF_FILE | single | Single threaded ERF file mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded ERF file mode. Packets from each flow are assigned to a single detect thread
|----------------------------------------------------------------------------------------
| ERF_DAG | autofp | Multi threaded DAG mode. Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow
| ---------------------------------------------------------------------
| | single | Singled threaded DAG mode
| ---------------------------------------------------------------------
| | workers | Workers DAG mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| AF_PACKET_DEV | single | Single threaded af-packet mode
| ---------------------------------------------------------------------
| | workers | Workers af-packet mode, each thread does all tasks from acquisition to logging
| ---------------------------------------------------------------------
| | autofp | Multi socket AF_PACKET mode. Packets from each flow are assigned to a single detect thread.
|----------------------------------------------------------------------------------------
| NETMAP(DISABLED) | single | Single threaded netmap mode
| ---------------------------------------------------------------------
| | workers | Workers netmap mode, each thread does all tasks from acquisition to logging
| ---------------------------------------------------------------------
| | autofp | Multi threaded netmap mode. Packets from each flow are assigned to a single detect thread.
|----------------------------------------------------------------------------------------
| UNIX_SOCKET | single | Unix socket mode
| ---------------------------------------------------------------------
| | autofp | Unix socket mode
|----------------------------------------------------------------------------------------
| WINDIVERT(DISABLED) | autofp | Multi-threaded WinDivert IPS mode load-balanced by flow
|----------------------------------------------------------------------------------------
root@Shield:/etc# suricata --dump-config
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DC_SERVERS = $HOME_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = 80
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
vars.port-groups.MODBUS_PORTS = 502
vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]
vars.port-groups.FTP_PORTS = 21
vars.port-groups.VXLAN_PORTS = 4789
vars.port-groups.TEREDO_PORTS = 3544
default-log-dir = /var/log/suricata/
stats = (null)
stats.enabled = yes
stats.interval = 8
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = eve-log
outputs.1.eve-log = (null)
outputs.1.eve-log.enabled = yes
outputs.1.eve-log.filetype = regular
outputs.1.eve-log.filename = eve.json
outputs.1.eve-log.pcap-file = false
outputs.1.eve-log.community-id = false
outputs.1.eve-log.community-id-seed = 0
outputs.1.eve-log.xff = (null)
outputs.1.eve-log.xff.enabled = no
outputs.1.eve-log.xff.mode = extra-data
outputs.1.eve-log.xff.deployment = reverse
outputs.1.eve-log.xff.header = X-Forwarded-For
outputs.1.eve-log.types = (null)
outputs.1.eve-log.types.0 = alert
outputs.1.eve-log.types.0.alert = (null)
outputs.1.eve-log.types.0.alert.tagged-packets = yes
outputs.1.eve-log.types.1 = anomaly
outputs.1.eve-log.types.1.anomaly = (null)
outputs.1.eve-log.types.1.anomaly.enabled = yes
outputs.1.eve-log.types.1.anomaly.types =
outputs.1.eve-log.types.2 = http
outputs.1.eve-log.types.2.http = (null)
outputs.1.eve-log.types.2.http.extended = yes
outputs.1.eve-log.types.3 = dns
outputs.1.eve-log.types.3.dns =
outputs.1.eve-log.types.4 = tls
outputs.1.eve-log.types.4.tls = (null)
outputs.1.eve-log.types.4.tls.extended = yes
outputs.1.eve-log.types.5 = files
outputs.1.eve-log.types.5.files = (null)
outputs.1.eve-log.types.5.files.force-magic = no
outputs.1.eve-log.types.6 = smtp
outputs.1.eve-log.types.6.smtp =
outputs.1.eve-log.types.7 = ftp
outputs.1.eve-log.types.8 = nfs
outputs.1.eve-log.types.9 = smb
outputs.1.eve-log.types.10 = tftp
outputs.1.eve-log.types.11 = ikev2
outputs.1.eve-log.types.12 = krb5
outputs.1.eve-log.types.13 = snmp
outputs.1.eve-log.types.14 = dhcp
outputs.1.eve-log.types.14.dhcp = (null)
outputs.1.eve-log.types.14.dhcp.enabled = yes
outputs.1.eve-log.types.14.dhcp.extended = no
outputs.1.eve-log.types.15 = ssh
outputs.1.eve-log.types.16 = stats
outputs.1.eve-log.types.16.stats = (null)
outputs.1.eve-log.types.16.stats.totals = yes
outputs.1.eve-log.types.16.stats.threads = no
outputs.1.eve-log.types.16.stats.deltas = no
outputs.1.eve-log.types.17 = flow
outputs.2 = unified2-alert
outputs.2.unified2-alert = (null)
outputs.2.unified2-alert.enabled = no
outputs.3 = http-log
outputs.3.http-log = (null)
outputs.3.http-log.enabled = no
outputs.3.http-log.filename = http.log
outputs.3.http-log.append = yes
outputs.4 = tls-log
outputs.4.tls-log = (null)
outputs.4.tls-log.enabled = no
outputs.4.tls-log.filename = tls.log
outputs.4.tls-log.append = yes
outputs.5 = tls-store
outputs.5.tls-store = (null)
outputs.5.tls-store.enabled = no
outputs.6 = pcap-log
outputs.6.pcap-log = (null)
outputs.6.pcap-log.enabled = no
outputs.6.pcap-log.filename = log.pcap
outputs.6.pcap-log.limit = 1000mb
outputs.6.pcap-log.max-files = 2000
outputs.6.pcap-log.compression = none
outputs.6.pcap-log.mode = normal
outputs.6.pcap-log.use-stream-depth = no
outputs.6.pcap-log.honor-pass-rules = no
outputs.7 = alert-debug
outputs.7.alert-debug = (null)
outputs.7.alert-debug.enabled = no
outputs.7.alert-debug.filename = alert-debug.log
outputs.7.alert-debug.append = yes
outputs.8 = alert-prelude
outputs.8.alert-prelude = (null)
outputs.8.alert-prelude.enabled = no
outputs.8.alert-prelude.profile = suricata
outputs.8.alert-prelude.log-packet-content = no
outputs.8.alert-prelude.log-packet-header = yes
outputs.9 = stats
outputs.9.stats = (null)
outputs.9.stats.enabled = yes
outputs.9.stats.filename = stats.log
outputs.9.stats.append = yes
outputs.9.stats.totals = yes
outputs.9.stats.threads = no
outputs.10 = syslog
outputs.10.syslog = (null)
outputs.10.syslog.enabled = no
outputs.10.syslog.facility = local5
outputs.11 = drop
outputs.11.drop = (null)
outputs.11.drop.enabled = no
outputs.12 = file-store
outputs.12.file-store = (null)
outputs.12.file-store.version = 2
outputs.12.file-store.enabled = no
outputs.12.file-store.xff = (null)
outputs.12.file-store.xff.enabled = no
outputs.12.file-store.xff.mode = extra-data
outputs.12.file-store.xff.deployment = reverse
outputs.12.file-store.xff.header = X-Forwarded-For
outputs.13 = file-store
outputs.13.file-store = (null)
outputs.13.file-store.enabled = no
outputs.14 = tcp-data
outputs.14.tcp-data = (null)
outputs.14.tcp-data.enabled = no
outputs.14.tcp-data.type = file
outputs.14.tcp-data.filename = tcp-data.log
outputs.15 = http-body-data
outputs.15.http-body-data = (null)
outputs.15.http-body-data.enabled = no
outputs.15.http-body-data.type = file
outputs.15.http-body-data.filename = http-data.log
outputs.16 = lua
outputs.16.lua = (null)
outputs.16.lua.enabled = no
outputs.16.lua.scripts =
logging = (null)
logging.default-log-level = notice
logging.default-output-filter =
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = yes
logging.outputs.1.file.level = info
logging.outputs.1.file.filename = suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> --
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth0
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.1 = interface
af-packet.1.interface = default
pcap = (null)
pcap.0 = interface
pcap.0.interface = eth0
pcap.1 = interface
pcap.1.interface = default
pcap-file = (null)
pcap-file.checksum-checks = auto
app-layer = (null)
app-layer.protocols = (null)
app-layer.protocols.krb5 = (null)
app-layer.protocols.krb5.enabled = yes
app-layer.protocols.snmp = (null)
app-layer.protocols.snmp.enabled = yes
app-layer.protocols.ikev2 = (null)
app-layer.protocols.ikev2.enabled = yes
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443
app-layer.protocols.dcerpc = (null)
app-layer.protocols.dcerpc.enabled = yes
app-layer.protocols.ftp = (null)
app-layer.protocols.ftp.enabled = yes
app-layer.protocols.rdp =
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
app-layer.protocols.smtp = (null)
app-layer.protocols.smtp.enabled = yes
app-layer.protocols.smtp.raw-extraction = no
app-layer.protocols.smtp.mime = (null)
app-layer.protocols.smtp.mime.decode-mime = yes
app-layer.protocols.smtp.mime.decode-base64 = yes
app-layer.protocols.smtp.mime.decode-quoted-printable = yes
app-layer.protocols.smtp.mime.header-value-depth = 2000
app-layer.protocols.smtp.mime.extract-urls = yes
app-layer.protocols.smtp.mime.body-md5 = no
app-layer.protocols.smtp.inspected-tracker = (null)
app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768
app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
app-layer.protocols.imap = (null)
app-layer.protocols.imap.enabled = detection-only
app-layer.protocols.smb = (null)
app-layer.protocols.smb.enabled = yes
app-layer.protocols.smb.detection-ports = (null)
app-layer.protocols.smb.detection-ports.dp = 139, 445
app-layer.protocols.nfs = (null)
app-layer.protocols.nfs.enabled = yes
app-layer.protocols.tftp = (null)
app-layer.protocols.tftp.enabled = yes
app-layer.protocols.dns = (null)
app-layer.protocols.dns.tcp = (null)
app-layer.protocols.dns.tcp.enabled = yes
app-layer.protocols.dns.tcp.detection-ports = (null)
app-layer.protocols.dns.tcp.detection-ports.dp = 53
app-layer.protocols.dns.udp = (null)
app-layer.protocols.dns.udp.enabled = yes
app-layer.protocols.dns.udp.detection-ports = (null)
app-layer.protocols.dns.udp.detection-ports.dp = 53
app-layer.protocols.http = (null)
app-layer.protocols.http.enabled = yes
app-layer.protocols.http.libhtp = (null)
app-layer.protocols.http.libhtp.default-config = (null)
app-layer.protocols.http.libhtp.default-config.personality = IDS
app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 40kb
app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 16kb
app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit = 2
app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
app-layer.protocols.http.libhtp.default-config.swf-decompression = (null)
app-layer.protocols.http.libhtp.default-config.swf-decompression.enabled = yes
app-layer.protocols.http.libhtp.default-config.swf-decompression.type = both
app-layer.protocols.http.libhtp.default-config.swf-decompression.compress-depth = 0
app-layer.protocols.http.libhtp.default-config.swf-decompression.decompress-depth = 0
app-layer.protocols.http.libhtp.default-config.double-decode-path = no
app-layer.protocols.http.libhtp.default-config.double-decode-query = no
app-layer.protocols.http.libhtp.server-config =
app-layer.protocols.modbus = (null)
app-layer.protocols.modbus.enabled = no
app-layer.protocols.modbus.detection-ports = (null)
app-layer.protocols.modbus.detection-ports.dp = 502
app-layer.protocols.modbus.stream-depth = 0
app-layer.protocols.dnp3 = (null)
app-layer.protocols.dnp3.enabled = no
app-layer.protocols.dnp3.detection-ports = (null)
app-layer.protocols.dnp3.detection-ports.dp = 20000
app-layer.protocols.enip = (null)
app-layer.protocols.enip.enabled = no
app-layer.protocols.enip.detection-ports = (null)
app-layer.protocols.enip.detection-ports.dp = 44818
app-layer.protocols.enip.detection-ports.sp = 44818
app-layer.protocols.ntp = (null)
app-layer.protocols.ntp.enabled = yes
app-layer.protocols.dhcp = (null)
app-layer.protocols.dhcp.enabled = yes
app-layer.protocols.sip =
asn1-max-frames = 256
coredump = (null)
coredump.max-dump = unlimited
host-mode = auto
unix-command = (null)
unix-command.enabled = auto
legacy = (null)
legacy.uricontent = enabled
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
defrag = (null)
defrag.memcap = 32mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 256mb
flow.hash-size = 65536
flow.prealloc = 10000
flow.emergency-recovery = 30
vlan = (null)
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 30
flow-timeouts.default.established = 300
flow-timeouts.default.closed = 0
flow-timeouts.default.bypassed = 100
flow-timeouts.default.emergency-new = 10
flow-timeouts.default.emergency-established = 100
flow-timeouts.default.emergency-closed = 0
flow-timeouts.default.emergency-bypassed = 50
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 60
flow-timeouts.tcp.established = 600
flow-timeouts.tcp.closed = 60
flow-timeouts.tcp.bypassed = 100
flow-timeouts.tcp.emergency-new = 5
flow-timeouts.tcp.emergency-established = 100
flow-timeouts.tcp.emergency-closed = 10
flow-timeouts.tcp.emergency-bypassed = 50
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 30
flow-timeouts.udp.established = 300
flow-timeouts.udp.bypassed = 100
flow-timeouts.udp.emergency-new = 10
flow-timeouts.udp.emergency-established = 100
flow-timeouts.udp.emergency-bypassed = 50
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 30
flow-timeouts.icmp.established = 300
flow-timeouts.icmp.bypassed = 100
flow-timeouts.icmp.emergency-new = 10
flow-timeouts.icmp.emergency-established = 100
flow-timeouts.icmp.emergency-bypassed = 50
stream = (null)
stream.memcap = 64mb
stream.checksum-validation = yes
stream.inline = auto
stream.reassembly = (null)
stream.reassembly.memcap = 256mb
stream.reassembly.depth = 1mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 64mb
decoder = (null)
decoder.teredo = (null)
decoder.teredo.enabled = true
decoder.teredo.ports = $TEREDO_PORTS
decoder.vxlan = (null)
decoder.vxlan.enabled = true
decoder.vxlan.ports = $VXLAN_PORTS
decoder.erspan = (null)
decoder.erspan.typeI = (null)
decoder.erspan.typeI.enabled = false
detect = (null)
detect.profile = medium
detect.custom-values = (null)
detect.custom-values.toclient-groups = 3
detect.custom-values.toserver-groups = 25
detect.sgh-mpm-context = auto
detect.inspection-recursion-limit = 3000
detect.prefilter = (null)
detect.prefilter.default = mpm
detect.grouping =
detect.profiling = (null)
detect.profiling.grouping = (null)
detect.profiling.grouping.dump-to-disk = false
detect.profiling.grouping.include-rules = false
detect.profiling.grouping.include-mpm-stats = false
mpm-algo = auto
spm-algo = auto
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = worker-cpu-set
threading.cpu-affinity.2.worker-cpu-set = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all
threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
threading.cpu-affinity.2.worker-cpu-set.prio = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3
threading.cpu-affinity.2.worker-cpu-set.prio.default = medium
threading.detect-thread-ratio = 1.0
luajit = (null)
luajit.states = 128
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.limit = 10
profiling.rules.json = yes
profiling.keywords = (null)
profiling.keywords.enabled = yes
profiling.keywords.filename = keyword_perf.log
profiling.keywords.append = yes
profiling.prefilter = (null)
profiling.prefilter.enabled = yes
profiling.prefilter.filename = prefilter_perf.log
profiling.prefilter.append = yes
profiling.rulegroups = (null)
profiling.rulegroups.enabled = yes
profiling.rulegroups.filename = rule_group_perf.log
profiling.rulegroups.append = yes
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = packet_stats.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = lock_stats.log
profiling.locks.append = yes
profiling.pcap-log = (null)
profiling.pcap-log.enabled = no
profiling.pcap-log.filename = pcaplog_stats.log
profiling.pcap-log.append = yes
nfq =
nflog = (null)
nflog.0 = group
nflog.0.group = 2
nflog.0.buffer-size = 18432
nflog.1 = group
nflog.1.group = default
nflog.1.qthreshold = 1
nflog.1.qtimeout = 100
nflog.1.max-size = 20000
capture =
netmap = (null)
netmap.0 = interface
netmap.0.interface = eth2
netmap.1 = interface
netmap.1.interface = default
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = auto
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = default
ipfw =
napatech = (null)
napatech.streams = (null)
napatech.streams.0 = 0-3
napatech.auto-config = yes
napatech.ports = (null)
napatech.ports.0 = all
napatech.hashmode = hash5tuplesorted
default-rule-path = /etc/suricata/rules
rule-files = (null)
rule-files.0 = suricata.rules
classification-file = /etc/suricata/classification.config
reference-config-file = /etc/suricata/reference.config
root@Shield:/etc# suricata --build-info
This is Suricata version 5.0.3 RELEASE
Features: DEBUG NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Big-endian architecture
GCC version 10.1.0, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=1
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.33, linked against LibHTP v0.5.33
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /home/grommish/.cargo/bin/rustc
Rust compiler version: rustc 1.45.0 (5c1f21c3b 2020-07-13)
Cargo path: /home/grommish/.cargo/bin/cargo
Cargo version: cargo 1.45.0 (744bd1fbb 2020-06-15)
Cargo vendor: yes
Python support: yes
Python path: /home/grommish/openwrt/staging_dir/hostpkg/bin/python3
Python distutils yes
Python yaml no
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: no, requires pyyaml
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: yes
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: mips64-unknown-linux-muslabi64
Compiler: ccache_cc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -Os -pipe -mno-branch-likely -march=octeon3 -mabi=64 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-erros
PCAP_CFLAGS -I/home/grommish/openwrt/staging_dir/target-mips64_octeon3_64_musl/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
root@Shield:/etc# uname -a
Linux Shield 5.4.52 #0 SMP Tue Jul 28 03:51:24 2020 mips64 GNU/Linux
I am getting the following error:
root@Shield:/# suricata -i eth0 -c /etc/suricata/suricata.yaml -T
1/8/2020 -- 22:17:18 - <Info> - Running suricata under test mode
1/8/2020 -- 22:17:18 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
1/8/2020 -- 22:17:18 - <Error> - [ERRCODE: SC_ERR_HOST_INIT(206)] - allocating host hash failed: max host memcap is smaller than projected hash size. Memcap: 0, Hash table size 26214.
root@Shield:/#
This is my host entry in suricata.yaml:
# Host table:
#
# Host table is used by tagging and per host thresholding subsystems.
#
host:
hash-size: 4096
prealloc: 1000
memcap: 512mb
Any help would be greatly appreciated!