[1839 - Suricata-Main] 2023-08-24 12:07:01 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: cpu: CPUs/cores online: 16
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: device: Adding interface enp1s0f0 from config file
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: device: Adding interface enp1s0f1 from config file
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: af-packet: Setting IPS mode
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: exception-policy: master exception-policy set to: ignore
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch)
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: app-layer-htp: 'default' server has 'request-body-minimal-inspect-size' set to 32923 and 'request-body-inspect-window' set to 4184 after randomization.
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: app-layer-htp: 'default' server has 'response-body-minimal-inspect-size' set to 40561 and 'response-body-inspect-window' set to 16374 after randomization.
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: app-layer-htp-mem: HTTP memcap: 12884901888
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: smb: read: max record size: 16777216, max queued chunks 64, max queued size 67108864
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: smb: write: max record size: 16777216, max queued chunks 64, max queued size 67108864
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: app-layer-enip: Protocol detection and parser disabled for enip protocol.
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: app-layer-dnp3: Protocol detection and parser disabled for DNP3.
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: ioctl: enp1s0f0: MTU 1500
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: ioctl: enp1s0f1: MTU 1500
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: host: allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: host: preallocated 1000 hosts of size 136
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: host: host memory usage: 398144 bytes, maximum: 33554432
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: coredump-config: Core dump size set to unlimited.
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: exception-policy: defrag.memcap-policy: ignore (defined via 'exception-policy' master switch)
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: defrag-hash: allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: defrag-hash: preallocated 65535 defrag trackers of size 160
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: defrag-hash: defrag memory usage: 14155616 bytes, maximum: 33554432
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: exception-policy: flow.memcap-policy: ignore (defined via 'exception-policy' master switch)
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: flow: flow size 296, memcap allows for 14510024 flows. Per hash row in perfect conditions 56
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "prealloc-sessions": 2048 (per thread)
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "memcap": 12884901888
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "midstream" session pickups: disabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "async-oneside": disabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "checksum-validation": disabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: exception-policy: stream.memcap-policy: ignore (defined via 'exception-policy' master switch)
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: exception-policy: stream.reassembly.memcap-policy: ignore (defined via 'exception-policy' master switch)
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch)
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream."inline": enabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "bypass": disabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "max-syn-queued": 10
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream "max-synack-queued": 5
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream.reassembly "memcap": 15032385536
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream.reassembly "depth": 1048576
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream.reassembly "toserver-chunk-size": 2673
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream.reassembly "toclient-chunk-size": 2551
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream.reassembly.raw: enabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp: stream.liberal-timestamps: disabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp-reassemble: stream.reassembly "segment-prealloc": 200000
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: stream-tcp-reassemble: stream.reassembly "max-regions": 8
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: conf: Running in live mode, activating unix socket
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: logopenfile: fast output device (regular) initialized: fast.log
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'alert'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'frame'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'anomaly'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'http'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'dns'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'tls'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'files'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'smtp'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'ftp'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'rdp'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'nfs'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'smb'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'tftp'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'ike'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'dcerpc'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'krb5'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'bittorrent-dht'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'snmp'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'rfb'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'sip'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'quic'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'dhcp'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'ssh'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'mqtt'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'http2'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'pgsql'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'stats'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: runmodes: enabling 'eve-log' module 'flow'
[1839 - Suricata-Main] 2023-08-24 12:07:01 Info: logopenfile: stats output device (regular) initialized: stats.log
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: suricata: Delayed detect disabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: detect: pattern matchers: MPM: hs, SPM: hs
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: detect: grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: detect: grouping: udp-whitelist (default) 53, 135, 5060
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: detect: prefilter engines: MPM
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: reputation: IP reputation disabled
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: detect: Loading rule file: /var/lib/suricata/rules/suricata.rules
[1839 - Suricata-Main] 2023-08-24 12:07:01 Config: detect: Loading rule file: /etc/suricata/etpro.rules
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE Mal/Simda-C Install"; http.uri; content:"/key.bin"; fast_pattern; http.referer; http.referer; content:"http://www.google.com"; reference:md5,eb127f640c1c6008eac4f019d4c465e1; classtype:trojan-activity; sid:2804408; rev:5; metadata:created_at 2012_01_25, updated_at 2020_08_17;)" from file /etc/suricata/etpro.rules at line 2302
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE Banker.Win32.Banbra Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/enviador.php"; nocase; http.header; http.request_body; content:"titulo="; nocase; depth:7; content:"INFECTADO =="; nocase; fast_pattern; content:"==&texto="; nocase; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2810735; rev:3; metadata:created_at 2015_04_22, former_category MALWARE, updated_at 2020_05_21;)" from file /etc/suricata/etpro.rules at line 3648
[1839 - Suricata-Main] 2023-08-24 12:07:02 Warning: detect: duplicate instance for http_client_body in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE Downeks CnC Beacon"; flow:to_server,established; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.start; content:"POST / HTTP/1.1|0d 0a|Host"; fast_pattern; depth:23; http.content_len; byte_test:0,>=,20,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; http.host; content:!"api.logentries.com"; content:!"google.com"; http.request_body; content:!"AAEAAAAA"; startswith; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:md5,00494be3583a013920f469999321fae5; classtype:command-and-control; sid:2811429; rev:9; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)'
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?email="; fast_pattern; http.accept; http.accept; content:"*/*"; http.connection; http.connection; content:"close"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Host|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:command-and-control; sid:2025020; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_08_17;)" from file /etc/suricata/etpro.rules at line 4561
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE SteamStealer Item Value Check"; flow:established,to_server; http.uri; content:"/ParseInv?id="; depth:13; fast_pattern; content:"&app="; distance:0; content:"&callback="; distance:0; http.referer; http.header_names; content:!"Accept"; content:!"User-Agent|0d 0a|"; reference:md5,e7912595e90b45ae8a44c2de6cc13d9d; classtype:trojan-activity; sid:2816116; rev:3; metadata:created_at 2016_02_09, updated_at 2020_06_23;)" from file /etc/suricata/etpro.rules at line 4829
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE Win32.Pasta.IK Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; fast_pattern; http.accept; http.accept; content:"*/*"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Host|0d 0a|"; depth:28; classtype:command-and-control; sid:2803267; rev:6; metadata:created_at 2011_07_26, former_category MALWARE, updated_at 2022_05_03;)" from file /etc/suricata/etpro.rules at line 4879
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert dns $HOME_NET any -> any any (msg:"ETPRO MALWARE LokiBot CnC DNS Lookup (lokipanel)"; dns.query; dns.query; content:"lokipanel"; fast_pattern; pcre:"/^[a-z0-9]*lokipanel[a-z0-9]*\.[a-z]{2,10}$/i"; reference:md5,68347633cbdd1aea35e4d04052564f71; classtype:command-and-control; sid:2831006; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_24, deployment Perimeter, former_category MALWARE, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)" from file /etc/suricata/etpro.rules at line 5013
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader/Win.MalXll.R466354 Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intelpro/"; startswith; content:".exe"; endswith; within:10; http.accept; content:"|2a 2f 2a|"; http.header; http.connection; content:"Keep-Alive"; bsize:10; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:md5,70cf3943b421f495fe56a9573d513eba; reference:url,asec.ahnlab.com/ko/34497/; classtype:trojan-activity; sid:2036681; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_25;)" from file /etc/suricata/etpro.rules at line 5207
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor EXE Download Common Header Order"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.user_agent; content:"MSIE"; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:76; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2018254; rev:5; metadata:created_at 2014_03_12, updated_at 2020_08_17;)" from file /etc/suricata/etpro.rules at line 5322
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webhp"; nocase; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; depth:34; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013076; rev:10; metadata:created_at 2011_06_22, former_category MALWARE, updated_at 2020_08_18;)" from file /etc/suricata/etpro.rules at line 5364
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE Win32/AveMaria CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; http.referer; content:"https|3a|//"; http.accept_enc; content:"identity"; startswith; http.request_body; content:"client="; startswith; content:"email="; distance:0; content:"&main_domain="; distance:0; fast_pattern; content:"&password="; distance:0; reference:md5,5b078351e74f7e94f7e7232e6ed9761a; classtype:trojan-activity; sid:2851549; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_28;)" from file /etc/suricata/etpro.rules at line 5378
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:02 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE Malicious Second Stage Payload Request 2021-02-23"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/base/"; fast_pattern; content:".html"; distance:32; within:5; endswith; pcre:"/\/base\/[A-F0-9]{32}\.html$/s"; http.header; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,1a08a3826d57d19d0bdc7f3413ee46c3; classtype:trojan-activity; sid:2847257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_23;)" from file /etc/suricata/etpro.rules at line 7238
[1839 - Suricata-Main] 2023-08-24 12:07:03 Warning: detect: duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PSW.Win32.Stealer.sb CnC"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"GET /AH/ HTTP/1.0"; fast_pattern; http.header; pcre:"/^Referer\x3a\x20[a-zA-Z0-9_\-.]+\x28[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]\x29\w+\x0d\x0a/"; http.header; content:"Referer"; http.connection; content:"Keep-Alive"; reference:md5,b6796c1e9e454517c14da454c23c0ef5; classtype:command-and-control; sid:2036962; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_10;)'
[1839 - Suricata-Main] 2023-08-24 12:07:03 Error: detect: previous sticky buffer has no matches
[1839 - Suricata-Main] 2023-08-24 12:07:03 Error: detect: error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M4"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; http.content_type; content:"image|2f|"; depth:6; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023672; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_18;)" from file /etc/suricata/etpro.rules at line 9060
[1839 - Suricata-Main] 2023-08-24 12:07:03 Warning: detect: duplicate instance for http_uri in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE MSIL/MythBot Registering New Bot with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?pass="; http.uri; content:"&command=RegisterNewMachine"; fast_pattern; endswith; reference:md5,e020be817ad47f02e75b230cf2cc7131; classtype:command-and-control; sid:2840612; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family MythBot, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)'
[1839 - Suricata-Main] 2023-08-24 12:07:03 Warning: detect: duplicate instance for http_uri in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE MSIL/MythBot Updating IRC Status"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pass="; http.uri; content:"&command=UpdateHTTPIRCStatus"; distance:0; fast_pattern; reference:md5,e020be817ad47f02e75b230cf2cc7131; classtype:command-and-control; sid:2840613; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family MythBot, performance_impact Low, signature_severity Major, updated_at 2020_01_23;)'
[1839 - Suricata-Main] 2023-08-24 12:07:03 Warning: detect: duplicate instance for http_header in 'alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Fake 404 Credential Phish Landing Page"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-Powered-By: PHP"; http.header; content:"PHPSESSID="; startswith; file.data; content:"404 Not FoundThe requested URL was not found on this server.
"; fast_pattern; reference:url,github.com/phish-report/IOK; classtype:credential-theft; sid:2038494; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_11, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_08_11;)'
[1839 - Suricata-Main] 2023-08-24 12:07:03 Warning: detect: duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO INFO MalDoc Request for Payload Aug 17 2016"; flow:established,to_server; urilen:4<>50; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; pcre:"/^\/[A-Za-z0-9]{5,15}(?:\?[A-Za-z0-9]{5,15}=[A-Za-z0-9]{5,15})?$/"; http.header; content:"Accept-Language|3a 20|en-us|0d 0a|"; nocase; http.header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nAccept-Language\x3a\x20en-us\r\nUser-Agent\x3a\x20[^\r\n]+\r\n(?:UA-CPU\x3a\x20[^\r\n]+\r\n)?Accept-Encoding[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nConnection[^\r\n]+\r\n(?:\r\n)?$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; fast_pattern; bsize:50; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,17184afb9c9f4010381ccf03ccbe3fd9; classtype:trojan-activity; sid:2821731; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_08_03;)'
[1839 - Suricata-Main] 2023-08-24 12:07:03 Warning: detect: duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO EXPLOIT_KIT Nuclear EK Flash Exploit IE Dec 03 2015 M1"; flow:established,to_server; urilen:>15; flowbits:set,NuclearEK; http.header; content:"x-flash-version|3a|"; fast_pattern; http.uri; content:!".flv"; nocase; content:!".swf"; nocase; content:!"/crossdomain.xml"; nocase; pcre:"/[&?][a-z]{3,20}=\d{10,12}(?:$|&)/"; http.header; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P[^\x3a\x2f\r\n]+)[^\r\n]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/Referer\x3a\x20http\x3a\x2f+[^\x2f]+\x2f[^\r\n]*?(?:\[\[DYNAMIC\]\]|\.(?:flv|swf))/i"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2815183; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_12_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_12;)'
[1839 - Suricata-Main] 2023-08-24 12:07:03 Info: detect: 2 rule files processed. 13067 rules successfully loaded, 12 rules failed
[1839 - Suricata-Main] 2023-08-24 12:07:03 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[1839 - Suricata-Main] 2023-08-24 12:07:03 Info: detect: 13067 signatures processed. 0 are IP-only rules, 2043 are inspecting packet payload, 10829 inspect application layer, 108 are decoder event only
[1839 - Suricata-Main] 2023-08-24 12:07:03 Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: TCP toclient: 21 port groups, 15 unique SGH's, 6 copies
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: UDP toserver: 41 port groups, 21 unique SGH's, 20 copies
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: UDP toclient: 14 port groups, 8 unique SGH's, 6 copies
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Unique rule groups: 83
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Builtin MPM "toserver TCP packet": 27
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Builtin MPM "toclient TCP packet": 11
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Builtin MPM "toserver TCP stream": 18
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Builtin MPM "toclient TCP stream": 11
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Builtin MPM "toserver UDP packet": 21
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Builtin MPM "toclient UDP packet": 8
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: Builtin MPM "other IP packet": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_uri (http)": 12
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_uri (http2)": 12
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_raw_uri (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_raw_uri (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_request_line (http)": 6
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_request_line (http2)": 6
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_client_body (http)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_client_body (http2)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_header (http)": 14
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_header (http)": 14
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_header (http2)": 14
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_header (http2)": 14
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_header_names (http)": 5
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_header_names (http)": 5
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_header_names (http2)": 5
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_header_names (http2)": 5
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_accept (http)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_accept (http2)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_accept_lang (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_accept_lang (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_referer (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_referer (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_connection (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_connection (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_connection (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_connection (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_content_len (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_content_len (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_content_len (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_content_len (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_content_type (http)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_content_type (http2)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_content_type (http)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_content_type (http2)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http.location (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http.location (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_protocol (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_protocol (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_protocol (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_protocol (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_start (http)": 5
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_start (http)": 5
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_raw_header (http)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_raw_header (http)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_raw_header (http2)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_raw_header (http2)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_method (http)": 6
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_method (http2)": 6
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_cookie (http)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_cookie (http)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_cookie (http2)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient http_cookie (http2)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_host (http)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver http_host (http2)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver dns_query (dns)": 1
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 2
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver tls.sni (tls)": 1
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver tls.cert_issuer (tls)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient tls.cert_issuer (tls)": 4
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver tls.cert_subject (tls)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient tls.cert_subject (tls)": 3
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient tls.cert_serial (tls)": 1
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver tls.cert_serial (tls)": 1
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient file_data (nfs)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver file_data (nfs)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient file_data (smb)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver file_data (smb)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient file_data (ftp)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver file_data (ftp)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient file_data (ftp-data)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver file_data (ftp-data)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient file_data (http)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver file_data (http)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toclient file_data (http2)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver file_data (http2)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:03 Perf: detect: AppLayer MPM "toserver file_data (smtp)": 10
[1839 - Suricata-Main] 2023-08-24 12:07:09 Info: af-packet: enp1s0f0: AF_PACKET IPS mode activated enp1s0f0->enp1s0f1
[1839 - Suricata-Main] 2023-08-24 12:07:09 Config: af-packet: enp1s0f0: using queue based cluster mode for AF_PACKET
[1839 - Suricata-Main] 2023-08-24 12:07:09 Info: runmodes: enp1s0f0: creating 4 threads
[1839 - Suricata-Main] 2023-08-24 12:07:09 Info: af-packet: enp1s0f1: AF_PACKET IPS mode activated enp1s0f1->enp1s0f0
[1839 - Suricata-Main] 2023-08-24 12:07:09 Config: af-packet: enp1s0f1: using queue based cluster mode for AF_PACKET
[1839 - Suricata-Main] 2023-08-24 12:07:09 Info: runmodes: enp1s0f1: creating 4 threads
[1845 - W#01-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f1: MTU 1500
[1845 - W#01-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f0: MTU 1500
[1846 - W#02-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f1: MTU 1500
[1846 - W#02-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f0: MTU 1500
[1847 - W#03-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f1: MTU 1500
[1847 - W#03-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f0: MTU 1500
[1848 - W#04-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f1: MTU 1500
[1848 - W#04-enp1s0f1] 2023-08-24 12:07:09 Info: ioctl: enp1s0f0: MTU 1500
[1839 - Suricata-Main] 2023-08-24 12:07:09 Config: flow-manager: using 1 flow manager threads
[1839 - Suricata-Main] 2023-08-24 12:07:09 Config: flow-manager: using 1 flow recycler threads
[1839 - Suricata-Main] 2023-08-24 12:07:09 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[1839 - Suricata-Main] 2023-08-24 12:07:09 Info: unix-manager: created socket directory /var/run/suricata/
[1841 - W#01-enp1s0f0] 2023-08-24 12:07:09 Perf: af-packet: enp1s0f0: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1842 - W#02-enp1s0f0] 2023-08-24 12:07:09 Perf: af-packet: enp1s0f0: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1843 - W#03-enp1s0f0] 2023-08-24 12:07:09 Perf: af-packet: enp1s0f0: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1844 - W#04-enp1s0f0] 2023-08-24 12:07:10 Perf: af-packet: enp1s0f0: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1845 - W#01-enp1s0f1] 2023-08-24 12:07:10 Perf: af-packet: enp1s0f1: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1846 - W#02-enp1s0f1] 2023-08-24 12:07:10 Perf: af-packet: enp1s0f1: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1847 - W#03-enp1s0f1] 2023-08-24 12:07:10 Perf: af-packet: enp1s0f1: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1848 - W#04-enp1s0f1] 2023-08-24 12:07:10 Perf: af-packet: enp1s0f1: rx ring: block_size=32768 block_nr=10001 frame_size=1600 frame_nr=200020
[1839 - Suricata-Main] 2023-08-24 12:07:10 Notice: threads: Threads created -> W: 8 FM: 1 FR: 1 Engine started.
[1839 - Suricata-Main] 2023-08-24 12:11:13 Notice: suricata: Signal Received. Stopping engine.
[1839 - Suricata-Main] 2023-08-24 12:11:14 Info: suricata: time elapsed 245.210s
[1850 - FR#01] 2023-08-24 12:11:15 Perf: flow-manager: 2024695 flows processed
[1841 - W#01-enp1s0f0] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f0: (W#01-enp1s0f0) kernel: Packets 12138195, dropped 3760599
[1842 - W#02-enp1s0f0] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f0: (W#02-enp1s0f0) kernel: Packets 12098146, dropped 3814124
[1843 - W#03-enp1s0f0] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f0: (W#03-enp1s0f0) kernel: Packets 12163964, dropped 3725195
[1844 - W#04-enp1s0f0] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f0: (W#04-enp1s0f0) kernel: Packets 12229230, dropped 3921010
[1845 - W#01-enp1s0f1] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f1: (W#01-enp1s0f1) kernel: Packets 9312569, dropped 3009932
[1846 - W#02-enp1s0f1] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f1: (W#02-enp1s0f1) kernel: Packets 9338670, dropped 3032845
[1847 - W#03-enp1s0f1] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f1: (W#03-enp1s0f1) kernel: Packets 9364303, dropped 3098160
[1848 - W#04-enp1s0f1] 2023-08-24 12:11:15 Perf: af-packet: enp1s0f1: (W#04-enp1s0f1) kernel: Packets 9423072, dropped 3081539
[1839 - Suricata-Main] 2023-08-24 12:11:15 Info: counters: Alerts: 336125
[1839 - Suricata-Main] 2023-08-24 12:11:15 Perf: ippair: ippair memory usage: 414144 bytes, maximum: 16777216
[1839 - Suricata-Main] 2023-08-24 12:11:15 Perf: host: host memory usage: 398144 bytes, maximum: 33554432
[1839 - Suricata-Main] 2023-08-24 12:11:15 Notice: device: enp1s0f0: packets: 48629535, drops: 15220928 (31.30%), invalid chksum: 0
[1839 - Suricata-Main] 2023-08-24 12:11:15 Notice: device: enp1s0f1: packets: 37438614, drops: 12222476 (32.65%), invalid chksum: 0