When using --pcap-file-continuous suricata saves to the wrong place

gordnho · April 12, 2024, 12:24pm

Using Suricata 7.0.4
Running on docker/OS Debian 11 raspberry pi

I have come accros this issue where if i run this command

sudo suricata -c /etc/suricata/suricata.yaml --pcap-file-delete --pcap-file-continuous -r /etc/suricata/pcaps

all my logs get saved in /etc/suricata/pcaps when in my .yaml file it says it should save them to the default location I solved it by running this but shouldn´t it save the logs in the default place?

sudo suricata -c /etc/suricata/suricata.yaml --pcap-file-delete --pcap-file-continuous -r /etc/suricata/pcaps -l /var/log/suricata/

Also is there a way to run suricata on an interface and run the --pcap-file-continuous at the same time or do i need two separate instances because right now im running

sudo docker run --rm -it --net=host --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice -e PUID=$(id -u) -e PGID=$(id -g)\

-v /var/log/suricata:/var/log/suricata -v $(pwd)/etc:/etc/suricata jasonish/suricata:latest -i eth0

and then im running this inside the container

suricata -c /etc/suricata/suricata.yaml --pcap-file-delete --pcap-file-continuous -r /etc/suricata/pcaps -l /var/log/suricata/

Andreas_Herz · April 25, 2024, 6:32pm

Can you share your suricata.yaml and maybe run Suricata with -vvvv to add more output and/or the suricata.log cause I can’t reproduce your first scenario.

And yes, you would have to run two dedicated instances since those are different runmodes.

gordnho · April 26, 2024, 7:29am

Here i ran --pcap-file-recursive because --pcap-file-continuous sometimes fails like mentioned here Suricata exits with errors when running with -r and --pcap-file-continuous
but the issue remains the same

Also I tested this outside of docker and the same happens i always have to specify -l

As you can see it created the fast.log eve.json etc inside the pcaps file here is my .yaml

suricata -c /etc/suricata/suricata_offline.yaml --pcap-file-delete --pcap-file-recursive -r /etc/suricata/pcaps -vvvv
Notice: suricata: This is Suricata version 7.0.5 RELEASE running in USER mode [LogVersion:suricata.c:1146]
Info: cpu: CPUs/cores online: 2 [UtilCpuPrintSummary:util-cpu.c:182]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2682]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:200]
Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: app-layer-htp: 'default' server has 'request-body-minimal-inspect-size' set to 33847 and 'request-body-inspect-window' set to 4195 after randomization. [HTPConfigSetDefaultsPhase2:app-layer-htp.c:2570]
Config: app-layer-htp: 'default' server has 'response-body-minimal-inspect-size' set to 41483 and 'response-body-inspect-window' set to 15860 after randomization. [HTPConfigSetDefaultsPhase2:app-layer-htp.c:2583]
Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864 [suricata::smb::smb::rs_smb_register_parser:smb.rs:2428]
Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864 [suricata::smb::smb::rs_smb_register_parser:smb.rs:2430]
Config: app-layer-enip: Protocol detection and parser disabled for enip protocol. [RegisterENIPUDPParsers:app-layer-enip.c:538]
Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3. [RegisterDNP3Parsers:app-layer-dnp3.c:1571]
Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 [HostInitConfig:host.c:256]
Config: host: preallocated 1000 hosts of size 136 [HostInitConfig:host.c:282]
Config: host: host memory usage: 398144 bytes, maximum: 33554432 [HostInitConfig:host.c:284]
Config: coredump-config: Core dump size is unlimited. [CoredumpLoadConfig:util-coredump-config.c:148]
Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: defrag-hash: allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 [DefragInitConfig:defrag-hash.c:251]
Config: defrag-hash: preallocated 65535 defrag trackers of size 160 [DefragInitConfig:defrag-hash.c:280]
Config: defrag-hash: defrag memory usage: 14155616 bytes, maximum: 33554432 [DefragInitConfig:defrag-hash.c:287]
Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: flow: flow size 296, memcap allows for 453438 flows. Per hash row in perfect conditions 6 [FlowInitConfig:flow.c:675]
Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread) [StreamTcpInitConfig:stream-tcp.c:392]
Config: stream-tcp: stream "memcap": 67108864 [StreamTcpInitConfig:stream-tcp.c:412]
Config: stream-tcp: stream "midstream" session pickups: disabled [StreamTcpInitConfig:stream-tcp.c:420]
Config: stream-tcp: stream "async-oneside": disabled [StreamTcpInitConfig:stream-tcp.c:428]
Config: stream-tcp: stream "checksum-validation": enabled [StreamTcpInitConfig:stream-tcp.c:443]
Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]
Config: stream-tcp: stream."inline": disabled [StreamTcpInitConfig:stream-tcp.c:475]
Config: stream-tcp: stream "bypass": disabled [StreamTcpInitConfig:stream-tcp.c:488]
Config: stream-tcp: stream "max-syn-queued": 10 [StreamTcpInitConfig:stream-tcp.c:512]
Config: stream-tcp: stream "max-synack-queued": 5 [StreamTcpInitConfig:stream-tcp.c:525]
Config: stream-tcp: stream.reassembly "memcap": 268435456 [StreamTcpInitConfig:stream-tcp.c:546]
Config: stream-tcp: stream.reassembly "depth": 1048576 [StreamTcpInitConfig:stream-tcp.c:565]
Config: stream-tcp: stream.reassembly "toserver-chunk-size": 2640 [StreamTcpInitConfig:stream-tcp.c:637]
Config: stream-tcp: stream.reassembly "toclient-chunk-size": 2668 [StreamTcpInitConfig:stream-tcp.c:639]
Config: stream-tcp: stream.reassembly.raw: enabled [StreamTcpInitConfig:stream-tcp.c:652]
Config: stream-tcp: stream.liberal-timestamps: disabled [StreamTcpInitConfig:stream-tcp.c:661]
Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 2048 [StreamTcpReassemblyConfig:stream-tcp-reassemble.c:491]
Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8 [StreamTcpReassemblyConfig:stream-tcp-reassemble.c:514]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:617]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:617]
Config: runmodes: enabling 'eve-log' module 'alert' [RunModeInitializeEveOutput:runmodes.c:715]
Info: alert-syslog: Syslog output initialized [AlertSyslogInitCtx:alert-syslog.c:135]
Config: landlock: Landlock is not enabled in configuration [LandlockSandboxing:util-landlock.c:183]
Config: suricata: Delayed detect disabled [SetupDelayedDetect:suricata.c:2395]
Config: detect: pattern matchers: MPM: hs, SPM: hs [DetectEngineCtxInitReal:detect-engine.c:2496]
Config: detect: grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 [DetectEngineCtxLoadConf:detect-engine.c:2914]
Config: detect: grouping: udp-whitelist (default) 53, 135, 5060 [DetectEngineCtxLoadConf:detect-engine.c:2940]
Config: detect: prefilter engines: MPM [DetectEngineCtxLoadConf:detect-engine.c:2970]
Config: reputation: IP reputation disabled [SRepInit:reputation.c:612]
Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules [ProcessSigFiles:detect-engine-loader.c:258]
Info: detect-parse: Rule with ID 2001805 is bidirectional, but source and destination are the same, treating the rule as unidirectional [SigInit:detect-parse.c:2354]
Info: detect-parse: Rule with ID 2001259 is bidirectional, but source and destination are the same, treating the rule as unidirectional [SigInit:detect-parse.c:2354]
Info: detect-parse: Rule with ID 2009375 is bidirectional, but source and destination are the same, treating the rule as unidirectional [SigInit:detect-parse.c:2354]
Error: detect: Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [DetectAddressMergeNot:detect-engine-address.c:1065]
Error: detect: error parsing signature "alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_13, updated_at 2019_09_03;)" from file /var/lib/suricata/rules/suricata.rules at line 3568 [DetectLoadSigFile:detect-engine-loader.c:183]
Error: detect: Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [DetectAddressMergeNot:detect-engine-address.c:1065]
Error: detect: error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2019_07_26;)" from file /var/lib/suricata/rules/suricata.rules at line 37954 [DetectLoadSigFile:detect-engine-loader.c:183]
Error: detect: Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [DetectAddressMergeNot:detect-engine-address.c:1065]
Error: detect: error parsing signature "alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2019_07_26;)" from file /var/lib/suricata/rules/suricata.rules at line 37955 [DetectLoadSigFile:detect-engine-loader.c:183]
Info: detect: 1 rule files processed. 42692 rules successfully loaded, 3 rules failed, 0 [SigLoadSignatures:detect-engine-loader.c:363]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1045]
Info: detect: 42692 signatures processed. 1187 are IP-only rules, 4741 are inspecting packet payload, 36733 inspect application layer, 0 are decoder event only [SigAddressPrepareStage1:detect-engine-build.c:1499]
Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete [SigAddressPrepareStage1:detect-engine-build.c:1505]
Perf: detect: TCP toserver: 41 port groups, 40 unique SGH's, 1 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: TCP toclient: 21 port groups, 21 unique SGH's, 0 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toserver: 41 port groups, 39 unique SGH's, 2 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: UDP toclient: 21 port groups, 16 unique SGH's, 5 copies [RulesGroupByPorts:detect-engine-build.c:1293]
Perf: detect: OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies [RulesGroupByProto:detect-engine-build.c:1049]
Perf: detect: OTHER toclient: 254 proto groups, 3 unique SGH's, 251 copies [RulesGroupByProto:detect-engine-build.c:1082]
Perf: detect: Unique rule groups: 122 [SigAddressPrepareStage4:detect-engine-build.c:1858]
Perf: detect: Builtin MPM "toserver TCP packet": 29 [MpmStoreReportStats:detect-engine-mpm.c:1468]
Perf: detect: Builtin MPM "toclient TCP packet": 19 [MpmStoreReportStats:detect-engine-mpm.c:1468]
Perf: detect: Builtin MPM "toserver TCP stream": 31 [MpmStoreReportStats:detect-engine-mpm.c:1468]
Perf: detect: Builtin MPM "toclient TCP stream": 20 [MpmStoreReportStats:detect-engine-mpm.c:1468]
Perf: detect: Builtin MPM "toserver UDP packet": 39 [MpmStoreReportStats:detect-engine-mpm.c:1468]
Perf: detect: Builtin MPM "toclient UDP packet": 16 [MpmStoreReportStats:detect-engine-mpm.c:1468]
Perf: detect: Builtin MPM "other IP packet": 3 [MpmStoreReportStats:detect-engine-mpm.c:1468]
Perf: detect: AppLayer MPM "toserver http_uri (http)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_uri (http2)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_request_line (http)": 10 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 10 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_client_body (http)": 14 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 14 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_response_line (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_response_line (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_header (http)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_header (http)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_header (http2)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_header (http2)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_header_names (http)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_header_names (http)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 16 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_accept (http)": 8 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_accept (http2)": 8 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_accept_enc (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_accept_enc (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_referer (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_connection (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_connection (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_content_len (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_content_len (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http.server (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http.server (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http.location (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http.location (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_start (http)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_start (http)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_method (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_method (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_cookie (http)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_cookie (http)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 14 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 14 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_host (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_host (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_host (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_host (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_raw_host (http)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver http_raw_host (http2)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_stat_code (http)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient http_stat_code (http2)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver dns_query (dns)": 1 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 6 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 4 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient tls.cert_fingerprint (tls)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver tls.cert_fingerprint (tls)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient tls.certs (tls)": 3 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver tls.certs (tls)": 3 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver ja3.hash (tls)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver ja3.hash (quic)": 2 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient ja3s.hash (tls)": 1 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient ja3s.hash (quic)": 1 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver ssh.proto (ssh)": 1 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient ssh.proto (ssh)": 1 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient file_data (nfs)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver file_data (nfs)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient file_data (smb)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver file_data (smb)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient file_data (ftp)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver file_data (ftp)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient file_data (http)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver file_data (http)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toclient file_data (http2)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver file_data (http2)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Perf: detect: AppLayer MPM "toserver file_data (smtp)": 19 [MpmStoreReportStats:detect-engine-mpm.c:1475]
Config: tmqh-flow: AutoFP mode using "Hash" flow load balancer [TmqhFlowPrintAutofpHandler:tmqh-flow.c:92]
Info: pcap: Argument /etc/suricata/pcaps was a directory [ReceivePcapFileThreadInit:source-pcap-file.c:281]
Config: flow-manager: using 1 flow manager threads [FlowManagerThreadSpawn:flow-manager.c:948]
Config: flow-manager: using 1 flow recycler threads [FlowRecyclerThreadSpawn:flow-manager.c:1154]
Info: unix-manager: unix socket '/var/run/suricata-command.socket' [UnixNew:unix-manager.c:136]
Info: pcap: Starting directory run for /etc/suricata/pcaps [ReceivePcapFileLoop:source-pcap-file.c:183]
Info: pcap: Processing pcaps directory /etc/suricata/pcaps, files must be newer than 0 and older than 18446744073709550616 [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:497]
Info: pcap: Found "/etc/suricata/pcaps/suricata.log" at 1714115695406 [PcapDirectoryPopulateBuffer:source-pcap-file-directory-helper.c:368]
Info: pcap: Found "/etc/suricata/pcaps/fast.log" at 1714115599874 [PcapDirectoryPopulateBuffer:source-pcap-file-directory-helper.c:368]
Info: pcap: Found "/etc/suricata/pcaps/eve.json" at 1714115599874 [PcapDirectoryPopulateBuffer:source-pcap-file-directory-helper.c:368]
Error: pcap: truncated dump file; tried to read 4 file header bytes, only got 0 [InitPcapFile:source-pcap-file-helper.c:207]
Warning: pcap: Failed to init pcap file /etc/suricata/pcaps/fast.log, skipping [PcapDirectoryDispatchForTimeRange:source-pcap-file-directory-helper.c:433]
Error: pcap: truncated dump file; tried to read 4 file header bytes, only got 0 [InitPcapFile:source-pcap-file-helper.c:207]
Warning: pcap: Failed to init pcap file /etc/suricata/pcaps/eve.json, skipping [PcapDirectoryDispatchForTimeRange:source-pcap-file-directory-helper.c:433]
Error: pcap: unknown file format [InitPcapFile:source-pcap-file-helper.c:207]
Warning: pcap: Failed to init pcap file /etc/suricata/pcaps/suricata.log, skipping [PcapDirectoryDispatchForTimeRange:source-pcap-file-directory-helper.c:433]
Info: pcap: Directory run mode complete [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:530]
Notice: threads: Threads created -> RX: 1 W: 2 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1901]
Notice: suricata: Signal Received.  Stopping engine. [SuricataMainLoop:suricata.c:2806]
Info: suricata: time elapsed 0.072s [SCPrintElapsedTime:suricata.c:1166]
Perf: flow-manager: 0 flows processed [FlowRecycler:flow-manager.c:1123]
Notice: pcap: read 0 files, 0 packets, 0 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388]
Perf: tmqh-flow: AutoFP - Total flow handler queues - 2 [TmqhOutputFlowFreeCtx:tmqh-flow.c:218]
Info: counters: Alerts: 0 [StatsLogSummary:counters.c:878]
Perf: ippair: ippair memory usage: 414144 bytes, maximum: 16777216 [IPPairPrintStats:ippair.c:296]
Perf: host: host memory usage: 398144 bytes, maximum: 33554432 [HostPrintStats:host.c:299]

suricata_offline.yaml (72.6 KB)

Topic		Replies	Views
Suricata exits with errors when running with -r and --pcap-file-continuous Help suricata , pcaps	2	166	January 19, 2024
Somethin is wrong with suricata Help	13	1029	October 8, 2021
ERROR: Pcap file does not exist Help	13	1947	October 15, 2021
Use suricata to replay pcap file without any output Help	4	555	August 4, 2021
How to have Suricata monitor a directory for pcap files and keep track of skipped files Help	0	643	May 26, 2021

When using --pcap-file-continuous suricata saves to the wrong place

Related Topics