Startup the Suricata service with the prescribed pcap + echo Startup the Suricata service with the prescribed pcap + sudo suricata -vvvv -l /var/log/suricata --runmode single -c /vagrant/testingfiles/BuildScriptsCI/suricata_tests_config.yaml -r /vagrant/testingfiles/alert-testmyids-async.pcap 27/2/2023 -- 12:04:44 - - This is Suricata version 6.0.10 RELEASE running in USER mode 27/2/2023 -- 12:04:44 - - CPUs/cores online: 2 27/2/2023 -- 12:04:44 - - app-layer.error-policy: ignore 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - 'default' server has 'request-body-minimal-inspect-size' set to 31772 and 'request-body-inspect-window' set to 4141 after randomization. 27/2/2023 -- 12:04:44 - - 'default' server has 'response-body-minimal-inspect-size' set to 34081 and 'response-body-inspect-window' set to 4070 after randomization. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol tls enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - no TLS config found, enabling TLS detection on port 443. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dcerpc enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dcerpc enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol smb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - no SMB TCP config found, enabling SMB detection on port 445. 27/2/2023 -- 12:04:44 - - SMB stream depth: 0 27/2/2023 -- 12:04:44 - - SMB max-read-size: 0 27/2/2023 -- 12:04:44 - - SMB max-write-size: 0 27/2/2023 -- 12:04:44 - - SMB max-write-queue-size: 0 27/2/2023 -- 12:04:44 - - SMB max-write-queue-cnt: 0 27/2/2023 -- 12:04:44 - - SMB max-read-queue-size: 0 27/2/2023 -- 12:04:44 - - SMB max-read-queue-cnt: 0 27/2/2023 -- 12:04:44 - - read: max record size: 0, max queued chunks 0, max queued size 0 27/2/2023 -- 12:04:44 - - write: max record size: 0, max queued chunks 0, max queued size 0 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ftp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ssh enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ssh enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol smtp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dns enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dns enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol modbus enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol enip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol enip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dnp3 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol nfs enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol nfs enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ntp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol tftp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ikev2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol krb5 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol krb5 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol dhcp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol snmp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol imap enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 27/2/2023 -- 12:04:44 - - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64 27/2/2023 -- 12:04:44 - - preallocated 1000 hosts of size 136 27/2/2023 -- 12:04:44 - - host memory usage: 398144 bytes, maximum: 16777216 27/2/2023 -- 12:04:44 - - No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only' 27/2/2023 -- 12:04:44 - - defrag.memcap-policy: ignore 27/2/2023 -- 12:04:44 - - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56 27/2/2023 -- 12:04:44 - - defrag memory usage: 229376 bytes, maximum: 16777216 27/2/2023 -- 12:04:44 - - flow.memcap-policy: ignore 27/2/2023 -- 12:04:44 - - flow size 320, memcap allows for 0 flows. Per hash row in perfect conditions 0 27/2/2023 -- 12:04:44 - - stream "prealloc-sessions": 2048 (per thread) 27/2/2023 -- 12:04:44 - - stream "memcap": 67108864 27/2/2023 -- 12:04:44 - - stream "midstream" session pickups: disabled 27/2/2023 -- 12:04:44 - - stream "async-oneside": disabled 27/2/2023 -- 12:04:44 - - stream "checksum-validation": enabled 27/2/2023 -- 12:04:44 - - stream.memcap-policy: ignore 27/2/2023 -- 12:04:44 - - stream.reassembly.memcap-policy: ignore 27/2/2023 -- 12:04:44 - - memcap-policy: 0/0 27/2/2023 -- 12:04:44 - - stream.midstream-policy: ignore 27/2/2023 -- 12:04:44 - - stream."inline": disabled 27/2/2023 -- 12:04:44 - - stream "bypass": disabled 27/2/2023 -- 12:04:44 - - stream "max-synack-queued": 5 27/2/2023 -- 12:04:44 - - stream.reassembly "memcap": 268435456 27/2/2023 -- 12:04:44 - - stream.reassembly "depth": 0 27/2/2023 -- 12:04:44 - - stream.reassembly "toserver-chunk-size": 2530 27/2/2023 -- 12:04:44 - - stream.reassembly "toclient-chunk-size": 2485 27/2/2023 -- 12:04:44 - - stream.reassembly.raw: enabled 27/2/2023 -- 12:04:44 - - stream.reassembly "segment-prealloc": 2048 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_STATS_LOG_GENERIC(278)] - global stats config is missing. Stats enabled through legacy stats.log. See https://suricata.readthedocs.io/en/suricata-6.0.10/configuration/suricata-yaml.html#stats 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry: After CoreDumpEnable. 27/2/2023 -- 12:04:44 - - fast output device (regular) initialized: fast.log 27/2/2023 -- 12:04:44 - - eve-log output device (regular) initialized: eve.json 27/2/2023 -- 12:04:44 - - enabling 'eve-log' module 'alert' 27/2/2023 -- 12:04:44 - - stats output device (regular) initialized: stats.log 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - lua support not compiled in. Reconfigure/recompile with lua(jit) and its development files installed to add lua support. 27/2/2023 -- 12:04:44 - - Delayed detect disabled 27/2/2023 -- 12:04:44 - - pattern matchers: MPM: ac, SPM: bm 27/2/2023 -- 12:04:44 - - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 27/2/2023 -- 12:04:44 - - grouping: udp-whitelist (default) 53, 135, 5060 27/2/2023 -- 12:04:44 - - prefilter engines: MPM 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry: After PreRunPostPrivsDropInit. 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_uri 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_uri 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_uri 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_uri 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_request_line 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_client_body 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_response_line 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header_names 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header_names 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header_names 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_header_names 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_accept 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_accept 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_accept_enc 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_accept_enc 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_accept_lang 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_accept_lang 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_referer 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_referer 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_connection 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_connection 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_len 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_len 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_len 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_len 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_type 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_type 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_type 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_content_type 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http.server 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http.server 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http.location 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http.location 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_protocol 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_protocol 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_start 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_start 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_method 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_method 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_cookie 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_cookie 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_cookie 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_cookie 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file.magic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_user_agent 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_user_agent 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_host 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_host 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_host 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_raw_host 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_stat_msg 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_stat_code 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http_stat_code 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http2_header_name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http2_header_name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http2_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for http2_header 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for dns_query 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for dnp3_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for dnp3_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for tls.sni 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for tls.cert_issuer 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for tls.cert_subject 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for tls.cert_serial 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for tls.cert_fingerprint 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for tls.certs 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ja3.hash 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ja3.string 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ja3s.hash 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ja3s.string 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for dce_stub_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for dce_stub_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for dce_stub_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for dce_stub_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for smb_named_pipe 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for smb_share 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh.proto 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh.proto 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh_software 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh_software 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh.hassh 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh.hassh.server 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh.hassh.string 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ssh.hassh.server.string 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for file_data 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for krb5_cname 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for krb5_sname 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.method 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.uri 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.protocol 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.protocol 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.method 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.stat_msg 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.request_line 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for sip.response_line 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for rfb.name 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for snmp.community 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for snmp.community 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.connect.clientid 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.connect.username 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.connect.password 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.connect.willtopic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.connect.willmessage 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.publish.topic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.publish.message 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.subscribe.topic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for mqtt.unsubscribe.topic 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for icmpv4.hdr 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for tcp.hdr 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for udp.hdr 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for icmpv6.hdr 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ipv4.hdr 27/2/2023 -- 12:04:44 - - using shared mpm ctx' for ipv6.hdr 27/2/2023 -- 12:04:44 - - IP reputation disabled 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/detector.rules 27/2/2023 -- 12:04:44 - - No rules loaded from /etc/suricata/detector.rules. 27/2/2023 -- 12:04:44 - - Loading rule file: /etc/suricata/emerging.rules 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 858 27/2/2023 -- 12:04:44 - - Rule with ID 2001805 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2001241 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2001242 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2001243 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2001260 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,doc.emergingthreats.net/2003330; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 1114 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 2822 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 2824 27/2/2023 -- 12:04:44 - - Rule with ID 2001406 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2101854 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2101855 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2101856 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7198 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7200 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7202 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7204 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7206 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 7208 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_10, updated_at 2011_11_10;)" from file /etc/suricata/emerging.rules at line 13892 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 18102 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)" from file /etc/suricata/emerging.rules at line 18782 27/2/2023 -- 12:04:44 - - Rule with ID 2001259 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_WARN_DEPRECATED(203)] - keyword 'ssh.softwareversion' is deprecated and will be removed soon. Use 'ssh.software' instead. See https://suricata.io/our-story/deprecation-policy/ 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_WARN_DEPRECATED(203)] - keyword 'ssh.softwareversion' is deprecated and will be removed soon. Use 'ssh.software' instead. See https://suricata.io/our-story/deprecation-policy/ 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 23020 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flow:to_server; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/emerging.rules at line 25912 27/2/2023 -- 12:04:44 - - Rule with ID 2001407 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2001408 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - Rule with ID 2026440 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range 27/2/2023 -- 12:04:44 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:5; metadata:created_at 2010_10_12, updated_at 2019_09_03;)" from file /etc/suricata/emerging.rules at line 38180 27/2/2023 -- 12:04:45 - - Rule with ID 2009375 is bidirectional, but source and destination are the same, treating the rule as unidirectional 27/2/2023 -- 12:04:45 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/site.rules 27/2/2023 -- 12:04:45 - - No rules loaded from /etc/suricata/site.rules. 27/2/2023 -- 12:04:45 - - 3 rule files processed. 30928 rules successfully loaded, 16 rules failed 27/2/2023 -- 12:04:45 - - Threshold config parsed: 0 rule(s) found 27/2/2023 -- 12:04:45 - - using shared mpm ctx' for tcp-packet 27/2/2023 -- 12:04:45 - - using shared mpm ctx' for tcp-stream 27/2/2023 -- 12:04:45 - - using shared mpm ctx' for udp-packet 27/2/2023 -- 12:04:45 - - using shared mpm ctx' for other-ip 27/2/2023 -- 12:04:45 - - 30939 signatures processed. 44 are IP-only rules, 8679 are inspecting packet payload, 21983 inspect application layer, 1 are decoder event only 27/2/2023 -- 12:04:45 - - building signature grouping structure, stage 1: preprocessing rules... complete 27/2/2023 -- 12:04:45 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 1 other sigs 27/2/2023 -- 12:04:45 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'realplayer.playlist' is checked but not set. Checked in 2102438 and 2 other sigs 27/2/2023 -- 12:04:45 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB.1' is checked but not set. Checked in 2018282 and 0 other sigs 27/2/2023 -- 12:04:45 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs 27/2/2023 -- 12:04:45 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.GenericPhish_Excel' is checked but not set. Checked in 2023046 and 0 other sigs 27/2/2023 -- 12:04:45 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.GenericPhish_Adobe' is checked but not set. Checked in 2023048 and 0 other sigs 27/2/2023 -- 12:04:45 - - TCP toserver: 41 port groups, 35 unique SGH's, 6 copies 27/2/2023 -- 12:04:45 - - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies 27/2/2023 -- 12:04:45 - - UDP toserver: 41 port groups, 36 unique SGH's, 5 copies 27/2/2023 -- 12:04:45 - - UDP toclient: 21 port groups, 18 unique SGH's, 3 copies 27/2/2023 -- 12:04:45 - - OTHER toserver: 254 proto groups, 6 unique SGH's, 248 copies 27/2/2023 -- 12:04:45 - - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies 27/2/2023 -- 12:04:45 - - Unique rule groups: 116 27/2/2023 -- 12:04:45 - - Builtin MPM "toserver TCP packet": 32 27/2/2023 -- 12:04:45 - - Builtin MPM "toclient TCP packet": 20 27/2/2023 -- 12:04:45 - - Builtin MPM "toserver TCP stream": 33 27/2/2023 -- 12:04:45 - - Builtin MPM "toclient TCP stream": 21 27/2/2023 -- 12:04:45 - - Builtin MPM "toserver UDP packet": 34 27/2/2023 -- 12:04:45 - - Builtin MPM "toclient UDP packet": 18 27/2/2023 -- 12:04:45 - - Builtin MPM "other IP packet": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_uri (http)": 9 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_uri (http2)": 9 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_raw_uri (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_raw_uri (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_request_line (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_client_body (http)": 9 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_response_line (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_header (http)": 11 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_header (http)": 11 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_header (http2)": 11 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_header (http2)": 11 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_header_names (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_header_names (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_header_names (http2)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_header_names (http2)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_accept (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_accept (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_accept_enc (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_accept_enc (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_accept_lang (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_accept_lang (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_referer (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_referer (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_content_len (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_content_len (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_content_len (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_content_len (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_content_type (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_content_type (http2)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_content_type (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_content_type (http2)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_protocol (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_protocol (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_start (http)": 5 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_start (http)": 5 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_raw_header (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_raw_header (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_raw_header (http2)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_raw_header (http2)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_method (http)": 4 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_method (http2)": 4 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_cookie (http)": 3 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_cookie (http)": 3 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_cookie (http2)": 3 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_cookie (http2)": 3 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_user_agent (http)": 6 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_user_agent (http2)": 6 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_host (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver http_host (http2)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_stat_msg (http)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_stat_code (http)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient http_stat_code (http2)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver dns_query (dns)": 4 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver tls.sni (tls)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient tls.cert_issuer (tls)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient tls.cert_subject (tls)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient tls.cert_serial (tls)": 1 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient tls.cert_fingerprint (tls)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver ssh.proto (ssh)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient ssh.proto (ssh)": 2 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver file_data (smtp)": 5 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient file_data (http)": 5 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver file_data (smb)": 5 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient file_data (smb)": 5 27/2/2023 -- 12:04:45 - - AppLayer MPM "toserver file_data (http2)": 5 27/2/2023 -- 12:04:45 - - AppLayer MPM "toclient file_data (http2)": 5 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry: Before RunModeDispatch. 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry[RunModeDispatch]: Before RunModeGetCustomMode 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry[RunModeDispatch]: After RunModeGetCustomMode 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry[RunModeDispatch]: Calling RundModeFunc 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsSetFlag][07339A80]: thread W#01 setting tvflag 0x00000000 flag 0x00000004 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsSetFlag][07339A80]: thread W#01 setting tvflag 0x00000004 flag 0x00000001 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadCreate]: thread W#01, func=(nil) slots=pktacqloop 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSetSlots]: thread type pktacqloop, func=0x5c2210 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadCreate]: thread W#01, func=0x5c2210 slots=pktacqloop 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'W#01' top. 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'W#01' calling pthread_create() for func=0x5c2210 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'W#01' after pthread_create() 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'W#01' calling TmThreadWaitForFlag 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 tvflag=0x00000005 waiting on 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][07339A80]: thread W#01 not recvd flag, tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 going to sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 after sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][07339A80]: thread W#01 not recvd flag, tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 going to sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 after sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][07339A80]: thread W#01 not recvd flag, tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 going to sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 after sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][07339A80]: thread W#01 not recvd flag, tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 going to sleep 27/2/2023 -- 12:04:46 - - using 1 flow manager threads 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsSetFlag][FD371700]: thread W#01 setting tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 got tvflag 0x00000007 flag 0x00000004 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsSetFlag][FD371700]: thread W#01 setting tvflag 0x00000007 flag 0x00000008 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 got tvflag 0x0000000F flag 0x00000004 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 after sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][07339A80]: thread W#01 got tvflag 0x0000000F flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread W#01 tvflag=0x0000000F, received a flag 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'W#01' after TmThreadWaitForFlag 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'W#01' calling TmThreadAppend 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'W#01' after TmThreadAppend 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry[RunModeDispatch]: After RundModeFunc 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry[RunModeDispatch]: Before TmValidateQueueState 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry[RunModeDispatch]: After TmValidateQueueState 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Larry[RunModeDispatch]: Spawn management threads 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsSetFlag][07339A80]: thread FM#01 setting tvflag 0x00000000 flag 0x00000004 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsSetFlag][07339A80]: thread FM#01 setting tvflag 0x00000004 flag 0x00000001 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadCreate]: thread FM#01, func=(nil) slots=management 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSetSlots]: thread type management, func=0x5c1ef0 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadCreate]: thread FM#01, func=0x5c1ef0 slots=management 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'FM#01' top. 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'FM#01' calling pthread_create() for func=0x5c1ef0 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 not recvd flag, tvflag 0x0000000F flag 0x00000010 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 got tvflag 0x0000000F flag 0x00000004 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'FM#01' after pthread_create() 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadSpawn] thread 'FM#01' calling TmThreadWaitForFlag 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread FM#01 tvflag=0x00000005 waiting on 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][07339A80]: thread FM#01 not recvd flag, tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread FM#01 going to sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsManagement]: top of 'FM#01' thread 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsManagement]: set thread name 'FM#01' thread 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsManagement]: SCDropCaps 'FM#01' thread 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsManagement]: starting 'FM#01' thread 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 not recvd flag, tvflag 0x0000000F flag 0x00000010 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 got tvflag 0x0000000F flag 0x00000004 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread FM#01 after sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][07339A80]: thread FM#01 not recvd flag, tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadWaitForFlag][07339A80]: thread FM#01 going to sleep 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsManagement]: 'FM#01' thread, posting INIT_DONE flag 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsSetFlag][FCAF0700]: thread FM#01 setting tvflag 0x00000005 flag 0x00000002 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 not recvd flag, tvflag 0x0000000F flag 0x00000010 27/2/2023 -- 12:04:46 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - [TmThreadsCheckFlag][FD371700]: thread W#01 got tvflag 0x0000000F flag 0x00000004