Startup the Suricata service with the prescribed pcap + echo Startup the Suricata service with the prescribed pcap + sudo suricata -vvvv -l /var/log/suricata --runmode single -c /vagrant/testingfiles/BuildScriptsCI/suricata_tests_config.yaml -r /vagrant/testingfiles/alert-testmyids-async.pcap 22/2/2023 -- 10:48:52 - - This is Suricata version 6.0.8 RELEASE running in USER mode 22/2/2023 -- 10:48:52 - - CPUs/cores online: 2 22/2/2023 -- 10:48:52 - - app-layer.error-policy: ignore 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - 'default' server has 'request-body-minimal-inspect-size' set to 32964 and 'request-body-inspect-window' set to 4245 after randomization. 22/2/2023 -- 10:48:52 - - 'default' server has 'response-body-minimal-inspect-size' set to 32073 and 'response-body-inspect-window' set to 4253 after randomization. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol tls enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - no TLS config found, enabling TLS detection on port 443. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dcerpc enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dcerpc enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol smb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - no SMB TCP config found, enabling SMB detection on port 445. 22/2/2023 -- 10:48:52 - - SMB stream depth: 0 22/2/2023 -- 10:48:52 - - SMB max-read-size: 0 22/2/2023 -- 10:48:52 - - SMB max-write-size: 0 22/2/2023 -- 10:48:52 - - SMB max-write-queue-size: 0 22/2/2023 -- 10:48:52 - - SMB max-write-queue-cnt: 0 22/2/2023 -- 10:48:52 - - SMB max-read-queue-size: 0 22/2/2023 -- 10:48:52 - - SMB max-read-queue-cnt: 0 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ftp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ssh enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ssh enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol smtp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dns enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dns enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol modbus enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol enip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol enip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dnp3 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol nfs enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol nfs enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ntp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol tftp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ikev2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol krb5 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol krb5 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dhcp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol snmp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol imap enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:52 - - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 22/2/2023 -- 10:48:52 - - preallocated 1000 hosts of size 136 22/2/2023 -- 10:48:52 - - host memory usage: 398144 bytes, maximum: 16777216 22/2/2023 -- 10:48:52 - - No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only' 22/2/2023 -- 10:48:52 - - defrag.memcap-policy: ignore 22/2/2023 -- 10:48:52 - - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56 22/2/2023 -- 10:48:52 - - defrag memory usage: 229376 bytes, maximum: 16777216 22/2/2023 -- 10:48:52 - - flow.memcap-policy: ignore 22/2/2023 -- 10:48:52 - - flow size 320, memcap allows for 0 flows. Per hash row in perfect conditions 0 22/2/2023 -- 10:48:52 - - stream "prealloc-sessions": 2048 (per thread) 22/2/2023 -- 10:48:52 - - stream "memcap": 67108864 22/2/2023 -- 10:48:52 - - stream "midstream" session pickups: disabled 22/2/2023 -- 10:48:52 - - stream "async-oneside": disabled 22/2/2023 -- 10:48:52 - - stream "checksum-validation": enabled 22/2/2023 -- 10:48:52 - - stream.memcap-policy: ignore 22/2/2023 -- 10:48:52 - - stream.reassembly.memcap-policy: ignore 22/2/2023 -- 10:48:52 - - stream.midstream-policy: ignore 22/2/2023 -- 10:48:52 - - memcap-policy: 0/0 22/2/2023 -- 10:48:52 - - stream."inline": disabled 22/2/2023 -- 10:48:52 - - stream "bypass": disabled 22/2/2023 -- 10:48:52 - - stream "max-synack-queued": 5 22/2/2023 -- 10:48:52 - - stream.reassembly "memcap": 268435456 22/2/2023 -- 10:48:52 - - stream.reassembly "depth": 0 22/2/2023 -- 10:48:52 - - stream.reassembly "toserver-chunk-size": 2611 22/2/2023 -- 10:48:52 - - stream.reassembly "toclient-chunk-size": 2616 22/2/2023 -- 10:48:52 - - stream.reassembly.raw: enabled 22/2/2023 -- 10:48:52 - - stream.reassembly "segment-prealloc": 2048 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_STATS_LOG_GENERIC(278)] - global stats config is missing. Stats enabled through legacy stats.log. See https://suricata.readthedocs.io/en/suricata-6.0.8/configuration/suricata-yaml.html#stats 22/2/2023 -- 10:48:52 - - fast output device (regular) initialized: fast.log 22/2/2023 -- 10:48:52 - - eve-log output device (regular) initialized: eve.json 22/2/2023 -- 10:48:52 - - enabling 'eve-log' module 'alert' 22/2/2023 -- 10:48:52 - - stats output device (regular) initialized: stats.log 22/2/2023 -- 10:48:52 - - enabling script alerts.lua 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_LUA_ERROR(212)] - couldn't load file: cannot open /etc/suricata/alerts.lua: No such file or directory 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_LUA_ERROR(212)] - couldn't initialize script 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "lua": setup failed 22/2/2023 -- 10:48:52 - - Delayed detect disabled 22/2/2023 -- 10:48:52 - - pattern matchers: MPM: ac, SPM: bm 22/2/2023 -- 10:48:52 - - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 22/2/2023 -- 10:48:52 - - grouping: udp-whitelist (default) 53, 135, 5060 22/2/2023 -- 10:48:52 - - prefilter engines: MPM 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_uri 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_uri 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_uri 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_uri 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_request_line 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_client_body 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_response_line 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header_names 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header_names 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header_names 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_header_names 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_accept 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_accept 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_accept_enc 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_accept_enc 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_accept_lang 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_accept_lang 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_referer 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_referer 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_connection 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_connection 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_len 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_len 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_len 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_len 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_type 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_type 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_type 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_content_type 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http.server 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http.server 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http.location 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http.location 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_protocol 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_protocol 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_start 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_start 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_method 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_method 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_cookie 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_cookie 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_cookie 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_cookie 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file.magic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_user_agent 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_user_agent 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_host 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_host 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_host 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_raw_host 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_stat_msg 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_stat_code 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http_stat_code 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http2_header_name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http2_header_name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http2_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for http2_header 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for dns_query 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for dnp3_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for dnp3_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for tls.sni 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for tls.cert_issuer 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for tls.cert_subject 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for tls.cert_serial 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for tls.cert_fingerprint 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for tls.certs 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ja3.hash 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ja3.string 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ja3s.hash 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ja3s.string 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for dce_stub_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for dce_stub_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for dce_stub_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for dce_stub_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for smb_named_pipe 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for smb_share 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh.proto 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh.proto 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh_software 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh_software 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh.hassh 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh.hassh.server 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh.hassh.string 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ssh.hassh.server.string 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for file_data 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for krb5_cname 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for krb5_sname 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.method 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.uri 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.protocol 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.protocol 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.method 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.stat_msg 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.request_line 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for sip.response_line 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for rfb.name 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for snmp.community 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for snmp.community 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.connect.clientid 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.connect.username 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.connect.password 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.connect.willtopic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.connect.willmessage 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.publish.topic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.publish.message 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.subscribe.topic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for mqtt.unsubscribe.topic 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for icmpv4.hdr 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for tcp.hdr 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for udp.hdr 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for icmpv6.hdr 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ipv4.hdr 22/2/2023 -- 10:48:52 - - using shared mpm ctx' for ipv6.hdr 22/2/2023 -- 10:48:52 - - IP reputation disabled 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/detector.rules 22/2/2023 -- 10:48:52 - - No rules loaded from /etc/suricata/detector.rules. 22/2/2023 -- 10:48:52 - - Loading rule file: /etc/suricata/emerging.rules 22/2/2023 -- 10:48:52 - - Rule with ID 2001805 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2001241 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2001242 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2001243 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2001260 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 858 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,doc.emergingthreats.net/2003330; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 1114 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 2822 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 2824 22/2/2023 -- 10:48:52 - - Rule with ID 2001406 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2101854 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2101855 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2101856 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7198 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7200 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7202 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7204 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7206 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7208 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_10, updated_at 2011_11_10;)" from file /etc/suricata/emerging.rules at line 13892 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 18102 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 18782 22/2/2023 -- 10:48:52 - - Rule with ID 2001259 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_WARN_DEPRECATED(203)] - keyword 'ssh.softwareversion' is deprecated and will be removed soon. Use 'ssh.software' instead. See https://suricata-ids.org/about/deprecation-policy/ 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_WARN_DEPRECATED(203)] - keyword 'ssh.softwareversion' is deprecated and will be removed soon. Use 'ssh.software' instead. See https://suricata-ids.org/about/deprecation-policy/ 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 23020 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flow:to_server; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 25912 22/2/2023 -- 10:48:52 - - Rule with ID 2001407 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2001408 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - Rule with ID 2026440 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:5; metadata:created_at 2010_10_12, updated_at 2019_09_03;)" from file /etc/suricata/emerging.rules at line 38180 22/2/2023 -- 10:48:52 - - Rule with ID 2009375 is bidirectional, but source and destination are the same, treating the rule as unidirectional 22/2/2023 -- 10:48:52 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/site.rules 22/2/2023 -- 10:48:52 - - No rules loaded from /etc/suricata/site.rules. 22/2/2023 -- 10:48:52 - - 3 rule files processed. 30928 rules successfully loaded, 16 rules failed 22/2/2023 -- 10:48:53 - - Threshold config parsed: 0 rule(s) found 22/2/2023 -- 10:48:53 - - using shared mpm ctx' for tcp-packet 22/2/2023 -- 10:48:53 - - using shared mpm ctx' for tcp-stream 22/2/2023 -- 10:48:53 - - using shared mpm ctx' for udp-packet 22/2/2023 -- 10:48:53 - - using shared mpm ctx' for other-ip 22/2/2023 -- 10:48:53 - - 30939 signatures processed. 44 are IP-only rules, 8679 are inspecting packet payload, 21983 inspect application layer, 1 are decoder event only 22/2/2023 -- 10:48:53 - - building signature grouping structure, stage 1: preprocessing rules... complete 22/2/2023 -- 10:48:53 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 1 other sigs 22/2/2023 -- 10:48:53 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'realplayer.playlist' is checked but not set. Checked in 2102438 and 2 other sigs 22/2/2023 -- 10:48:53 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB.1' is checked but not set. Checked in 2018282 and 0 other sigs 22/2/2023 -- 10:48:53 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs 22/2/2023 -- 10:48:53 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.GenericPhish_Excel' is checked but not set. Checked in 2023046 and 0 other sigs 22/2/2023 -- 10:48:53 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.GenericPhish_Adobe' is checked but not set. Checked in 2023048 and 0 other sigs 22/2/2023 -- 10:48:53 - - TCP toserver: 41 port groups, 35 unique SGH's, 6 copies 22/2/2023 -- 10:48:53 - - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies 22/2/2023 -- 10:48:53 - - UDP toserver: 41 port groups, 36 unique SGH's, 5 copies 22/2/2023 -- 10:48:53 - - UDP toclient: 21 port groups, 18 unique SGH's, 3 copies 22/2/2023 -- 10:48:53 - - OTHER toserver: 254 proto groups, 6 unique SGH's, 248 copies 22/2/2023 -- 10:48:53 - - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies 22/2/2023 -- 10:48:53 - - Unique rule groups: 116 22/2/2023 -- 10:48:53 - - Builtin MPM "toserver TCP packet": 32 22/2/2023 -- 10:48:53 - - Builtin MPM "toclient TCP packet": 20 22/2/2023 -- 10:48:53 - - Builtin MPM "toserver TCP stream": 33 22/2/2023 -- 10:48:53 - - Builtin MPM "toclient TCP stream": 21 22/2/2023 -- 10:48:53 - - Builtin MPM "toserver UDP packet": 34 22/2/2023 -- 10:48:53 - - Builtin MPM "toclient UDP packet": 18 22/2/2023 -- 10:48:53 - - Builtin MPM "other IP packet": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_uri (http)": 9 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_uri (http2)": 9 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_raw_uri (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_raw_uri (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_request_line (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_client_body (http)": 9 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_response_line (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_header (http)": 11 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_header (http)": 11 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_header (http2)": 11 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_header (http2)": 11 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_header_names (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_header_names (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_header_names (http2)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_header_names (http2)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_accept (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_accept (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_accept_enc (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_accept_enc (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_accept_lang (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_accept_lang (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_referer (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_referer (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_content_len (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_content_len (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_content_len (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_content_len (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_content_type (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_content_type (http2)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_content_type (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_content_type (http2)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_protocol (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_protocol (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_start (http)": 5 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_start (http)": 5 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_raw_header (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_raw_header (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_raw_header (http2)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_raw_header (http2)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_method (http)": 4 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_method (http2)": 4 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_cookie (http)": 3 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_cookie (http)": 3 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_cookie (http2)": 3 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_cookie (http2)": 3 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_user_agent (http)": 6 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_user_agent (http2)": 6 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_host (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver http_host (http2)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_stat_msg (http)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_stat_code (http)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient http_stat_code (http2)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver dns_query (dns)": 4 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver tls.sni (tls)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient tls.cert_issuer (tls)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient tls.cert_subject (tls)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient tls.cert_serial (tls)": 1 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver ssh.proto (ssh)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient ssh.proto (ssh)": 2 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver file_data (smtp)": 5 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient file_data (http)": 5 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver file_data (smb)": 5 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient file_data (smb)": 5 22/2/2023 -- 10:48:53 - - AppLayer MPM "toserver file_data (http2)": 5 22/2/2023 -- 10:48:53 - - AppLayer MPM "toclient file_data (http2)": 5 22/2/2023 -- 10:48:54 - - using 1 flow manager threads 22/2/2023 -- 10:48:54 - - using 1 flow recycler threads 22/2/2023 -- 10:48:54 - - all 1 packet processing threads, 4 management threads initialized, engine started. 22/2/2023 -- 10:48:54 - - Starting file run for /vagrant/testingfiles/alert-testmyids-async.pcap 22/2/2023 -- 10:48:54 - - pcap file /vagrant/testingfiles/alert-testmyids-async.pcap end of file reached (pcap err code 0) 22/2/2023 -- 10:48:54 - - Signal Received. Stopping engine. 22/2/2023 -- 10:48:54 - - 0 new flows, 0 established flows were timed out, 0 flows in closed state 22/2/2023 -- 10:48:54 - - time elapsed 0.035s 22/2/2023 -- 10:48:54 - - 1 flows processed 22/2/2023 -- 10:48:54 - - Pcap-file module read 1 files, 4 packets, 495 bytes 22/2/2023 -- 10:48:54 - - Alerts: 2 22/2/2023 -- 10:48:54 - - ippair memory usage: 414144 bytes, maximum: 16777216 22/2/2023 -- 10:48:54 - - host memory usage: 398144 bytes, maximum: 16777216 22/2/2023 -- 10:48:54 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 22/2/2023 -- 10:48:54 - - cleaning up signature grouping structure... complete