What does "Alerts" mean in the output of suricata?

e-ferrari · September 17, 2023, 7:42pm

Hi,
i installed suricata on a windows box and checked a pcap file.
This is, beneath others, a part of the output:
[7100] Warning: suricata: setrlimit unavailable.
[16524] Info: pcap: Starting file run for ha-idg-1_3.cap
[7100] Notice: threads: Threads created → RX: 1 W: 12 FM: 1 FR: 1 Engine started.
[16524] Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used
[16524] Error: pcap: error code -1 truncated dump file; tried to read 606 captured bytes, only got 445 for ha-idg-1_3.cap
[7100] Notice: suricata: Signal Received. Stopping engine.
[7100] Info: suricata: time elapsed 189.870s
[22580] Perf: flow-manager: 23694 flows processed
[16524] Notice: pcap: read 0 files, 12712518 packets, 12580149691 bytes
[7100] Perf: tmqh-flow: AutoFP - Total flow handler queues - 12
[7100] Info: counters: Alerts: 1089
[7100] Perf: ippair: ippair memory usage: 382144 bytes, maximum: 16777216
[7100] Perf: host: host memory usage: 366144 bytes, maximum: 33554432

What means “[7100] Info: counters: Alerts: 1089” ?

Bernd

Andreas_Herz · September 17, 2023, 8:00pm

This means that this pcap triggered 1089 alert events, so you could look into the events and see which alerts triggered and why.

e-ferrari · September 17, 2023, 8:36pm

Here is the complete output:
M:\Daten\AG_BioInformatik\Technik\wireshark>“c:\Program Files\Suricata\suricata.exe” -vvv -r ha-idg-1_3.cap
Info: win32-service: Running as service: no
Info: conf-yaml-loader: Configuration node ‘enabled’ redefined.
[24372] Notice: suricata: This is Suricata version 7.0.0 RELEASE running in USER mode
[24372] Info: cpu: CPUs/cores online: 12
[24372] Info: suricata: Setting engine mode to IDS mode by default
[24372] Info: exception-policy: master exception-policy set to: auto
[24372] Config: exception-policy: app-layer.error-policy: ignore (defined via ‘exception-policy’ master switch)
[24372] Config: app-layer-htp: ‘default’ server has ‘request-body-minimal-inspect-size’ set to 32241 and ‘request-body-inspect-window’ set to 4194 after randomization.
[24372] Config: app-layer-htp: ‘default’ server has ‘response-body-minimal-inspect-size’ set to 42329 and ‘response-body-inspect-window’ set to 15788 after randomization.
[24372] Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864
[24372] Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864
[24372] Config: app-layer-enip: Protocol detection and parser disabled for enip protocol.
[24372] Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3.
[24372] Config: host: allocated 262144 bytes of memory for the host hash… 4096 buckets of size 64
[24372] Config: host: preallocated 1000 hosts of size 104
[24372] Config: host: host memory usage: 366144 bytes, maximum: 33554432
[24372] Info: coredump-config: Configuring core dump is not yet supported on Windows.
[24372] Config: exception-policy: defrag.memcap-policy: ignore (defined via ‘exception-policy’ master switch)
[24372] Config: defrag-hash: allocated 1572864 bytes of memory for the defrag hash… 65536 buckets of size 24
[24372] Config: defrag-hash: preallocated 65535 defrag trackers of size 128
[24372] Config: defrag-hash: defrag memory usage: 9961344 bytes, maximum: 33554432
[24372] Config: exception-policy: flow.memcap-policy: ignore (defined via ‘exception-policy’ master switch)
[24372] Config: flow: flow size 264, memcap allows for 508400 flows. Per hash row in perfect conditions 7
[24372] Config: stream-tcp: stream “prealloc-sessions”: 2048 (per thread)
[24372] Config: stream-tcp: stream “memcap”: 67108864
[24372] Config: stream-tcp: stream “midstream” session pickups: disabled
[24372] Config: stream-tcp: stream “async-oneside”: disabled
[24372] Config: stream-tcp: stream “checksum-validation”: enabled
[24372] Config: exception-policy: stream.memcap-policy: ignore (defined via ‘exception-policy’ master switch)
[24372] Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via ‘exception-policy’ master switch)
[24372] Config: exception-policy: stream.midstream-policy: ignore (defined via ‘exception-policy’ master switch)
[24372] Config: stream-tcp: stream.“inline”: disabled
[24372] Config: stream-tcp: stream “bypass”: disabled
[24372] Config: stream-tcp: stream “max-syn-queued”: 10
[24372] Config: stream-tcp: stream “max-synack-queued”: 5
[24372] Config: stream-tcp: stream.reassembly “memcap”: 268435456
[24372] Config: stream-tcp: stream.reassembly “depth”: 1048576
[24372] Config: stream-tcp: stream.reassembly “toserver-chunk-size”: 2684
[24372] Config: stream-tcp: stream.reassembly “toclient-chunk-size”: 2605
[24372] Config: stream-tcp: stream.reassembly.raw: enabled
[24372] Config: stream-tcp: stream.liberal-timestamps: disabled
[24372] Config: stream-tcp-reassemble: stream.reassembly “segment-prealloc”: 2048
[24372] Config: stream-tcp-reassemble: stream.reassembly “max-regions”: 8
[24372] Info: logopenfile: fast output device (regular) initialized: C:\Program Files\Suricata\log\fast.log
[24372] Info: logopenfile: eve-log output device (regular) initialized: C:\Program Files\Suricata\log\eve.json
[24372] Config: runmodes: enabling ‘eve-log’ module ‘alert’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘frame’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘anomaly’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘http’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘dns’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘tls’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘files’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘smtp’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘ftp’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘rdp’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘nfs’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘smb’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘tftp’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘ike’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘dcerpc’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘krb5’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘bittorrent-dht’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘snmp’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘rfb’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘sip’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘quic’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘dhcp’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘ssh’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘mqtt’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘http2’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘pgsql’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘stats’
[24372] Config: runmodes: enabling ‘eve-log’ module ‘flow’
[24372] Info: logopenfile: stats output device (regular) initialized: C:\Program Files\Suricata\log\stats.log
[24372] Config: suricata: Delayed detect disabled
[24372] Config: detect: pattern matchers: MPM: ac, SPM: bm
[24372] Config: detect: grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[24372] Config: detect: grouping: udp-whitelist (default) 53, 135, 5060
[24372] Config: detect: prefilter engines: MPM
[24372] Config: reputation: IP reputation disabled
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\botcc.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\botcc.portgrouped.rules
[24372] Config: detect: No rules loaded from botcc.portgrouped.rules.
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\ciarmy.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\compromised.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\drop.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\dshield.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-activex.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-adware_pup.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-attack_response.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-chat.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-coinminer.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-current_events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-dns.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-deleted.rules
[24372] Config: detect: No rules loaded from emerging-deleted.rules.
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-dos.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-exploit.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-ftp.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-games.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-hunting.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-icmp_info.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-icmp.rules
[24372] Config: detect: No rules loaded from emerging-icmp.rules.
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-imap.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-inappropriate.rules
[24372] Config: detect: No rules loaded from emerging-inappropriate.rules.
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-info.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-ja3.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-malware.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-misc.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-mobile_malware.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-netbios.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-phishing.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-p2p.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-policy.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-pop3.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-rpc.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-scada.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-scan.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-shellcode.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-smtp.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-snmp.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-sql.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-telnet.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-tftp.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-user_agents.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-voip.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-web_client.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-web_server.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-web_specific_apps.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\emerging-worm.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\tor.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\stream-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\http-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\http2-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\smtp-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\dns-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\tls-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\app-layer-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\ntp-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\ipsec-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\kerberos-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\smb-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\nfs-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\dhcp-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\ssh-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\rfb-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\ftp-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\files.rules
[24372] Config: detect: No rules loaded from files.rules.
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\mqtt-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\quick-events.rules
[24372] Config: detect: Loading rule file: C:\Program Files\Suricata\rules\threatview_CS_c2.rules
[24372] Info: detect: 69 rule files processed. 34617 rules successfully loaded, 0 rules failed
[24372] Warning: threshold-config: Error opening file: “C:\Program Files\Suricata\\threshold.config”: No such file or directory
[24372] Info: detect: 34620 signatures processed. 1393 are IP-only rules, 5242 are inspecting packet payload, 27890 inspect application layer, 0 are decoder event only
[24372] Config: detect: building signature grouping structure, stage 1: preprocessing rules… complete
[24372] Perf: detect: TCP toserver: 41 port groups, 40 unique SGH’s, 1 copies
[24372] Perf: detect: TCP toclient: 21 port groups, 21 unique SGH’s, 0 copies
[24372] Perf: detect: UDP toserver: 41 port groups, 39 unique SGH’s, 2 copies
[24372] Perf: detect: UDP toclient: 21 port groups, 16 unique SGH’s, 5 copies
[24372] Perf: detect: OTHER toserver: 254 proto groups, 4 unique SGH’s, 250 copies
[24372] Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH’s, 254 copies
[24372] Perf: detect: Unique rule groups: 120
[24372] Perf: detect: Builtin MPM “toserver TCP packet”: 29
[24372] Perf: detect: Builtin MPM “toclient TCP packet”: 20
[24372] Perf: detect: Builtin MPM “toserver TCP stream”: 31
[24372] Perf: detect: Builtin MPM “toclient TCP stream”: 20
[24372] Perf: detect: Builtin MPM “toserver UDP packet”: 39
[24372] Perf: detect: Builtin MPM “toclient UDP packet”: 16
[24372] Perf: detect: Builtin MPM “other IP packet”: 3
[24372] Perf: detect: AppLayer MPM “toserver http_uri (http)”: 16
[24372] Perf: detect: AppLayer MPM “toserver http_uri (http2)”: 16
[24372] Perf: detect: AppLayer MPM “toserver http_raw_uri (http)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_raw_uri (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_request_line (http)”: 10
[24372] Perf: detect: AppLayer MPM “toserver http_request_line (http2)”: 10
[24372] Perf: detect: AppLayer MPM “toserver http_client_body (http)”: 14
[24372] Perf: detect: AppLayer MPM “toserver http_client_body (http2)”: 14
[24372] Perf: detect: AppLayer MPM “toclient http_response_line (http)”: 2
[24372] Perf: detect: AppLayer MPM “toclient http_response_line (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_header (http)”: 16
[24372] Perf: detect: AppLayer MPM “toclient http_header (http)”: 16
[24372] Perf: detect: AppLayer MPM “toserver http_header (http2)”: 16
[24372] Perf: detect: AppLayer MPM “toclient http_header (http2)”: 16
[24372] Perf: detect: AppLayer MPM “toserver http_header_names (http)”: 16
[24372] Perf: detect: AppLayer MPM “toclient http_header_names (http)”: 16
[24372] Perf: detect: AppLayer MPM “toserver http_header_names (http2)”: 16
[24372] Perf: detect: AppLayer MPM “toclient http_header_names (http2)”: 16
[24372] Perf: detect: AppLayer MPM “toserver http_accept (http)”: 8
[24372] Perf: detect: AppLayer MPM “toserver http_accept (http2)”: 8
[24372] Perf: detect: AppLayer MPM “toserver http_accept_enc (http)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_accept_enc (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_accept_lang (http)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_accept_lang (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_referer (http)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_referer (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_connection (http)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_connection (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toclient http_connection (http)”: 2
[24372] Perf: detect: AppLayer MPM “toclient http_connection (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_content_len (http)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_content_len (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toclient http_content_len (http)”: 2
[24372] Perf: detect: AppLayer MPM “toclient http_content_len (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_content_type (http)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_content_type (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http_content_type (http)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http_content_type (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http.server (http)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http.server (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http.location (http)”: 2
[24372] Perf: detect: AppLayer MPM “toclient http.location (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_start (http)”: 6
[24372] Perf: detect: AppLayer MPM “toclient http_start (http)”: 6
[24372] Perf: detect: AppLayer MPM “toserver http_raw_header (http)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http_raw_header (http)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_raw_header (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http_raw_header (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_method (http)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_method (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_cookie (http)”: 6
[24372] Perf: detect: AppLayer MPM “toclient http_cookie (http)”: 6
[24372] Perf: detect: AppLayer MPM “toserver http_cookie (http2)”: 6
[24372] Perf: detect: AppLayer MPM “toclient http_cookie (http2)”: 6
[24372] Perf: detect: AppLayer MPM “toserver http_user_agent (http)”: 14
[24372] Perf: detect: AppLayer MPM “toserver http_user_agent (http2)”: 14
[24372] Perf: detect: AppLayer MPM “toserver http_host (http)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_host (http)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_host (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_host (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toserver http_raw_host (http)”: 2
[24372] Perf: detect: AppLayer MPM “toserver http_raw_host (http2)”: 2
[24372] Perf: detect: AppLayer MPM “toclient http_stat_code (http)”: 4
[24372] Perf: detect: AppLayer MPM “toclient http_stat_code (http2)”: 4
[24372] Perf: detect: AppLayer MPM “toserver dns_query (dns)”: 2
[24372] Perf: detect: AppLayer MPM “toserver dns_query (dns)”: 1
[24372] Perf: detect: AppLayer MPM “toserver tls.sni (tls)”: 2
[24372] Perf: detect: AppLayer MPM “toserver tls.sni (tls)”: 1
[24372] Perf: detect: AppLayer MPM “toserver tls.cert_issuer (tls)”: 6
[24372] Perf: detect: AppLayer MPM “toclient tls.cert_issuer (tls)”: 6
[24372] Perf: detect: AppLayer MPM “toserver tls.cert_subject (tls)”: 4
[24372] Perf: detect: AppLayer MPM “toclient tls.cert_subject (tls)”: 4
[24372] Perf: detect: AppLayer MPM “toclient tls.cert_serial (tls)”: 2
[24372] Perf: detect: AppLayer MPM “toserver tls.cert_serial (tls)”: 2
[24372] Perf: detect: AppLayer MPM “toclient tls.certs (tls)”: 3
[24372] Perf: detect: AppLayer MPM “toserver tls.certs (tls)”: 3
[24372] Perf: detect: AppLayer MPM “toserver ja3.hash (tls)”: 2
[24372] Perf: detect: AppLayer MPM “toserver ja3.hash (quic)”: 2
[24372] Perf: detect: AppLayer MPM “toclient ja3s.hash (tls)”: 1
[24372] Perf: detect: AppLayer MPM “toclient ja3s.hash (quic)”: 1
[24372] Perf: detect: AppLayer MPM “toserver ssh.proto (ssh)”: 1
[24372] Perf: detect: AppLayer MPM “toclient ssh.proto (ssh)”: 1
[24372] Perf: detect: AppLayer MPM “toclient file_data (nfs)”: 19
[24372] Perf: detect: AppLayer MPM “toserver file_data (nfs)”: 19
[24372] Perf: detect: AppLayer MPM “toclient file_data (smb)”: 19
[24372] Perf: detect: AppLayer MPM “toserver file_data (smb)”: 19
[24372] Perf: detect: AppLayer MPM “toclient file_data (ftp)”: 19
[24372] Perf: detect: AppLayer MPM “toserver file_data (ftp)”: 19
[24372] Perf: detect: AppLayer MPM “toclient file_data (ftp-data)”: 19
[24372] Perf: detect: AppLayer MPM “toserver file_data (ftp-data)”: 19
[24372] Perf: detect: AppLayer MPM “toclient file_data (http)”: 19
[24372] Perf: detect: AppLayer MPM “toserver file_data (http)”: 19
[24372] Perf: detect: AppLayer MPM “toclient file_data (http2)”: 19
[24372] Perf: detect: AppLayer MPM “toserver file_data (http2)”: 19
[24372] Perf: detect: AppLayer MPM “toserver file_data (smtp)”: 19
[24372] Config: tmqh-flow: AutoFP mode using “Hash” flow load balancer
[24372] Config: flow-manager: using 1 flow manager threads
[24372] Config: flow-manager: using 1 flow recycler threads
[24372] Warning: suricata: setrlimit unavailable.
[17416] Info: pcap: Starting file run for ha-idg-1_3.cap
[24372] Notice: threads: Threads created → RX: 1 W: 12 FM: 1 FR: 1 Engine started.
[17416] Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used
[17416] Error: pcap: error code -1 truncated dump file; tried to read 606 captured bytes, only got 445 for ha-idg-1_3.cap
[24372] Notice: suricata: Signal Received. Stopping engine.
[24372] Info: suricata: time elapsed 193.258s
[22296] Perf: flow-manager: 23661 flows processed
[17416] Notice: pcap: read 0 files, 12712518 packets, 12580149691 bytes
[24372] Perf: tmqh-flow: AutoFP - Total flow handler queues - 12
[24372] Info: counters: Alerts: 1089
[24372] Perf: ippair: ippair memory usage: 382144 bytes, maximum: 16777216
[24372] Perf: host: host memory usage: 366144 bytes, maximum: 33554432

Where is information about these alerts ?

Bernd

Andreas_Herz · September 17, 2023, 9:13pm

This depends on how you did configure your suricata.yaml so ideally you have an eve.json and/or fast.log file, I would recommend to take a look at the docs as well: Suricata User Guide — Suricata 7.0.2-dev documentation

I would start to look for those files in C:\Program Files\Suricata\log

e-ferrari · September 18, 2023, 9:43am

Hi Andreas,
thanks for your help. I find a lot of events in the logfiles. Is there someting in the documentation that helps me to understand them ?

Bernd

Andreas_Herz · September 18, 2023, 9:48am

Well I would start with why did you run this pcap against Suricata? What were you trying to achieve?

Alert events are triggered because a signature did trigger, so you might want to look into those signatures and see the message and also look into the metadata with more explanation.

Other events are from a network monitoring perspective, so all the flows/connections and protocols being seen.

e-ferrari · September 18, 2023, 4:10pm

Hi Andreas,
i’m running Suricata against pcap files because we’ve been attacked and i made some network sniffs. My plan is to have run Suricata as an IDS, i will forward all packets from an uplink at a switch to a host running Suricata. It’s just a small solution for the handful of servers we are running. Our company has an IDS (cisco), but the information flow to use is very bad. No news, incomplete news, late news …
Bernd

e-ferrari · September 18, 2023, 4:19pm

Hi,
i read 10. Making sense out of Alerts — Suricata 7.0.2-dev documentation.
I found: “When using the default Eve settings a lot of metadata will be added to the alert.”
How can i achieve this Eve settings ?
Bernd

e-ferrari · September 18, 2023, 5:18pm

I found it out by myself. It’s configurable in suricata.yaml.

Andreas_Herz · September 19, 2023, 8:31am

You can fine tune it to your purpose, Suricata produces different events. On one hand you have the alerts that are a result of a signature trigger, but you will also get a lot of metadata like the flow and specific protocol data. This data can help as well to narrow down attacks but also generic network issues. It will take some time to get familiar with the log files.

e-ferrari · September 19, 2023, 12:06pm

Hi,
I see. I need to read a lot. Is there a wiki or a KB which describes rules more precisely ?
Bernd

Andreas_Herz · September 19, 2023, 12:12pm

There is 8. Suricata Rules — Suricata 7.0.2-dev documentation with the description of the keywords. Some signatures, for example from Emerging Threats, have some metadata in the signatures as well. Sometimes they reference an attack description or CVE related to that signature.

e-ferrari · September 19, 2023, 12:22pm

Hi Andreas,
thanks for your help. I started reading it.
Bernd

Topic		Replies	Views
Which packets triggering the alerts that fired by a bunch of pcaps Help	1	246	July 13, 2023
Replay of a pcap resulting in 15 alerts for ids mode and only 14 alerts for inline mode	7	114	July 31, 2024
Are Suricata Alerts reproducible on a per pcap basis Help	7	343	September 5, 2023
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	1004	June 8, 2023
Cannot get alerts from pcaps Help	6	2465	July 2, 2020

What does "Alerts" mean in the output of suricata?

Related topics