Your message dated Mon, 28 Nov 2016 11:40:02 +0100
with message-id 
<caoksjbhxxsesnvxo8wpbya7ky4ycopzc1ozm_+ikcjl9nts...@mail.gmail.com>
and subject line suricata 2.x is EOL
has caused the Debian Bug report #783660,
regarding suricata: It seems that http rules are no longer work after upgrade 
to jessie
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
783660: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783660
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: suricata
Version: 2.0.7-2
Severity: important


Hi,

I have a problem with suricata after upgrading to jessie. It seems that http 
rules are no longer work after upgrade to jessie.

I have created 2 rules to make a test in a file /etc/suricata/rules/local.rules:
alert http any any -> any any (msg:"User-Agent Gecko http_user_agent"; 
content:"Gecko"; http_user_agent; sid:2; rev:1;)
alert ip any any -> any any (msg:"ICMP detected"; sid:3; rev:1;)

In the log file (/var/log/fast.log) I can see the rule based on the ip test 
(and other alerts but no http alert):
04/28/2015-21:44:10.119672  [**] [1:3:1] ICMP detected [**] [Classification: 
(null)] [Priority: 3] {TCP} 192.168.0.119:4996 -> 168.61.34.65:80

I use the rules from Emerging Threats 
(https://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz).

There is no error in suricata starting:
root@ids:/var/log/suricata# suricata -c /etc/suricata/suricata-debian.yaml -i 
eth1 --init-errors-fatal
28/4/2015 -- 22:09:19 - <Notice> - This is Suricata version 2.0.7 RELEASE
28/4/2015 -- 22:09:19 - <Info> - CPUs/cores online: 4
28/4/2015 -- 22:09:19 - <Info> - 'default' server has 
'request-body-minimal-inspect-size' set to 33882 and 
'request-body-inspect-window' set to 4053 after randomization.
28/4/2015 -- 22:09:19 - <Info> - 'default' server has 
'response-body-minimal-inspect-size' set to 33695 and 
'response-body-inspect-window' set to 4218 after randomization.
28/4/2015 -- 22:09:19 - <Info> - DNS request flood protection level: 500
28/4/2015 -- 22:09:19 - <Info> - DNS per flow memcap (state-memcap): 524288
28/4/2015 -- 22:09:19 - <Info> - DNS global memcap: 16777216
28/4/2015 -- 22:09:19 - <Info> - Found an MTU of 1500 for 'eth1'
28/4/2015 -- 22:09:19 - <Info> - allocated 2097152 bytes of memory for the 
defrag hash... 65536 buckets of size 32
28/4/2015 -- 22:09:19 - <Info> - preallocated 65535 defrag trackers of size 116
28/4/2015 -- 22:09:19 - <Info> - defrag memory usage: 9699212 bytes, maximum: 
33554432
28/4/2015 -- 22:09:19 - <Info> - AutoFP mode using default "Active Packets" 
flow load balancer
28/4/2015 -- 22:09:19 - <Info> - preallocated 1024 packets. Total memory 2797568
28/4/2015 -- 22:09:19 - <Info> - allocated 262144 bytes of memory for the host 
hash... 4096 buckets of size 64
28/4/2015 -- 22:09:19 - <Info> - preallocated 1000 hosts of size 72
28/4/2015 -- 22:09:19 - <Info> - host memory usage: 342144 bytes, maximum: 
16777216
28/4/2015 -- 22:09:19 - <Info> - allocated 4194304 bytes of memory for the flow 
hash... 65536 buckets of size 64
28/4/2015 -- 22:09:19 - <Info> - preallocated 10000 flows of size 188
28/4/2015 -- 22:09:19 - <Info> - flow memory usage: 6114304 bytes, maximum: 
67108864
28/4/2015 -- 22:09:19 - <Info> - stream "prealloc-sessions": 2048 (per thread)
28/4/2015 -- 22:09:19 - <Info> - stream "memcap": 33554432
28/4/2015 -- 22:09:19 - <Info> - stream "midstream" session pickups: disabled
28/4/2015 -- 22:09:19 - <Info> - stream "async-oneside": disabled
28/4/2015 -- 22:09:19 - <Info> - stream "checksum-validation": enabled
28/4/2015 -- 22:09:19 - <Info> - stream."inline": disabled
28/4/2015 -- 22:09:19 - <Info> - stream "max-synack-queued": 5
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "memcap": 134217728
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "depth": 1048576
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "toserver-chunk-size": 2517
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "toclient-chunk-size": 2514
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly.raw: enabled
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 4, prealloc 256
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 16, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 112, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 248, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 512, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 768, prealloc 1024
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 1448, prealloc 1024
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 65535, prealloc 128
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "chunk-prealloc": 250
28/4/2015 -- 22:09:19 - <Info> - IP reputation disabled
28/4/2015 -- 22:09:19 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:19 - <Info> - Delayed detect disabled
28/4/2015 -- 22:09:26 - <Info> - 50 rule files processed. 16837 rules 
successfully loaded, 0 rules failed
28/4/2015 -- 22:09:26 - <Info> - 16845 signatures processed. 948 are IP-only 
rules, 5186 are inspecting packet payload, 12575 inspect application layer, 75 
are decoder event only
28/4/2015 -- 22:09:26 - <Info> - building signature grouping structure, stage 
1: preprocessing rules... complete
28/4/2015 -- 22:09:26 - <Info> - building signature grouping structure, stage 
2: building source address list... complete
28/4/2015 -- 22:09:28 - <Info> - building signature grouping structure, stage 
3: building destination address lists... complete
28/4/2015 -- 22:09:30 - <Info> - Threshold config parsed: 0 rule(s) found
28/4/2015 -- 22:09:30 - <Info> - Core dump size set to unlimited.
28/4/2015 -- 22:09:30 - <Info> - fast output device (regular) initialized: 
fast.log
28/4/2015 -- 22:09:30 - <Info> - eve-log output device (regular) initialized: 
eve.json
28/4/2015 -- 22:09:30 - <Info> - returning output_ctx 0xba180c40
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'alert'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'http'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'dns'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'tls'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'files'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'ssh'
28/4/2015 -- 22:09:30 - <Info> - Unified2-alert initialized: filename 
unified2.alert, limit 32 MB
28/4/2015 -- 22:09:30 - <Info> - http-log output device (regular) initialized: 
http.log
28/4/2015 -- 22:09:30 - <Info> - Using 1 live device(s).
28/4/2015 -- 22:09:30 - <Info> - using interface eth1
28/4/2015 -- 22:09:30 - <Info> - Running in 'auto' checksum mode. Detection of 
interface state will require 1000 packets.
28/4/2015 -- 22:09:30 - <Info> - Found an MTU of 1500 for 'eth1'
28/4/2015 -- 22:09:30 - <Info> - Set snaplen to 1516 for 'eth1'
28/4/2015 -- 22:09:30 - <Info> - Generic Receive Offload is unset on eth1
28/4/2015 -- 22:09:30 - <Info> - Large Receive Offload is unset on eth1
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - RunModeIdsPcapAutoFp initialised
28/4/2015 -- 22:09:30 - <Notice> - all 7 packet processing threads, 3 
management threads initialized, engine started.
28/4/2015 -- 22:10:47 - <Info> - No packets with invalid checksum, assuming 
checksum offloading is NOT used

Thanks for your help.

Best Regards,
-- 
Olivier LARRIGAUDIERE

-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages suricata depends on:
ii  libc6                2.19-18
ii  libcap-ng0           0.7.4-2
ii  libgcrypt20          1.6.3-2
ii  libgnutls-deb0-28    3.3.8-6
ii  libjansson4          2.7-1
ii  libluajit-5.1-2      2.0.3+dfsg-3
ii  libmagic1            1:5.22+15-2
ii  libnet1              1.1.6+dfsg-3
ii  libnetfilter-queue1  1.0.2-2
ii  libnfnetlink0        1.0.1-3
ii  libnspr4             2:4.10.7-1
ii  libnss3              2:3.17.2-1.1
ii  libpcap0.8           1.6.2-2
ii  libpcre3             2:8.35-3.3
ii  libprelude2          1.0.0-11.4
ii  libyaml-0-2          0.1.6-3
ii  python               2.7.9-1
ii  zlib1g               1:1.2.8.dfsg-2+b1

Versions of packages suricata recommends:
ii  oinkmaster           2.0-4
ii  snort-rules-default  2.9.2.2-3

suricata suggests no packages.

-- Configuration Files:
/etc/default/suricata changed:
RUN=yes
SURCONF=/etc/suricata/suricata-debian.yaml
LISTENMODE=pcap
IFACE=eth1
NFQUEUE=0
TCMALLOC="YES"
PIDFILE=/var/run/suricata.pid

/etc/suricata/rules/decoder-events.rules changed:
alert pkthdr any any -> any any (msg:"SURICATA IPv4 packet too small"; 
decode-event:ipv4.pkt_too_small; sid:2200000; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 header size too small"; 
decode-event:ipv4.hlen_too_small; sid:2200001; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 total length smaller than 
header size"; decode-event:ipv4.iplen_smaller_than_hlen; sid:2200002; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option"; 
decode-event:ipv4.opt_invalid; sid:2200004; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; 
decode-event:ipv4.opt_invalid_len; sid:2200005; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 malformed option"; 
decode-event:ipv4.opt_malformed; sid:2200006; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 option end of list 
required"; decode-event:ipv4.opt_eol_required; sid:2200008; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 duplicated IP option"; 
decode-event:ipv4.opt_duplicate; sid:2200009; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 unknown IP option"; 
decode-event:ipv4.opt_unknown; sid:2200010; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 wrong IP version"; 
decode-event:ipv4.wrong_ip_version; sid:2200011; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 packet too small"; 
decode-event:ipv6.pkt_too_small; sid:2200012; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension 
header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment 
extension header"; decode-event:ipv6.exthdr_dupl_fh; sid:2200015; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension 
header"; decode-event:ipv6.exthdr_useless_fh; sid:2200080; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Routing 
extension header"; decode-event:ipv6.exthdr_dupl_rh; sid:2200016; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop 
Options extension header"; decode-event:ipv6.exthdr_dupl_hh; sid:2200017; 
rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination 
Options extension header"; decode-event:ipv6.exthdr_dupl_dh; sid:2200018; 
rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Authentication 
Header extension header"; decode-event:ipv6.exthdr_dupl_ah; sid:2200019; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicate ESP extension 
header"; decode-event:ipv6.exthdr_dupl_eh; sid:2200020; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 invalid option length in 
header"; decode-event:ipv6.exthdr_invalid_optlen; sid:2200021; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 wrong IP version"; 
decode-event:ipv6.wrong_ip_version; sid:2200022; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 AH reserved field not 0"; 
decode-event:ipv6.exthdr_ah_res_not_null; sid:2200081; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; 
decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; 
decode-event:icmpv4.unknown_type; sid:2200024; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; 
decode-event:icmpv4.unknown_code; sid:2200025; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet"; 
decode-event:icmpv4.ipv4_trunc_pkt; sid:2200026; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version"; 
decode-event:icmpv4.ipv4_unknown_ver; sid:2200027; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small"; 
decode-event:icmpv6.pkt_too_small; sid:2200028; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; 
decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code"; 
decode-event:icmpv6.unknown_code; sid:2200030; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 truncated packet"; 
decode-event:icmpv6.ipv6_trunc_pkt; sid:2200031; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown version"; 
decode-event:icmpv6.ipv6_unknown_version; sid:2200032; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP packet too small"; 
decode-event:tcp.pkt_too_small; sid:2200033; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP header length too small"; 
decode-event:tcp.hlen_too_small; sid:2200034; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length"; 
decode-event:tcp.invalid_optlen; sid:2200035; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP option invalid length"; 
decode-event:tcp.opt_invalid_len; sid:2200036; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option"; 
decode-event:tcp.opt_duplicate; sid:2200037; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA UDP packet too small"; 
decode-event:udp.pkt_too_small; sid:2200038; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA UDP header length too small"; 
decode-event:udp.hlen_too_small; sid:2200039; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; 
decode-event:udp.hlen_invalid; sid:2200040; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA SLL packet too small"; 
decode-event:sll.pkt_too_small; sid:2200041; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA Ethernet packet too small"; 
decode-event:ethernet.pkt_too_small; sid:2200042; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small"; 
decode-event:ppp.pkt_too_small; sid:2200043; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP VJU packet too small"; 
decode-event:ppp.vju_pkt_too_small; sid:2200044; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP IPv4 packet too small"; 
decode-event:ppp.ip4_pkt_too_small; sid:2200045; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP IPv6 too small"; 
decode-event:ppp.ip6_pkt_too_small; sid:2200046; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP wrong type"; 
decode-event:ppp.wrong_type; sid:2200047; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP unsupported protocol"; 
decode-event:ppp.unsup_proto; sid:2200048; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPPOE packet too small"; 
decode-event:pppoe.pkt_too_small; sid:2200049; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPPOE wrong code"; 
decode-event:pppoe.wrong_code; sid:2200050; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPPOE malformed tags"; 
decode-event:pppoe.malformed_tags; sid:2200051; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE packet too small"; 
decode-event:gre.pkt_too_small; sid:2200052; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE wrong version"; 
decode-event:gre.wrong_version; sid:2200053; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v0 recursion control"; 
decode-event:gre.version0_recur; sid:2200054; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v0 flags"; 
decode-event:gre.version0_flags; sid:2200055; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v0 header too big"; 
decode-event:gre.version0_hdr_too_big; sid:2200056; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 checksum present"; 
decode-event:gre.version1_chksum; sid:2200057; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 routing present"; 
decode-event:gre.version1_route; sid:2200058; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 strict source route"; 
decode-event:gre.version1_ssr; sid:2200059; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 recursion control"; 
decode-event:gre.version1_recur; sid:2200060; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 flags"; 
decode-event:gre.version1_flags; sid:2200061; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 no key present"; 
decode-event:gre.version1_no_key; sid:2200062; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 wrong protocol"; 
decode-event:gre.version1_wrong_protocol; sid:2200063; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 malformed Source Route 
Entry header"; decode-event:gre.version1_malformed_sre_hdr; sid:2200064; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 header too big"; 
decode-event:gre.version1_hdr_too_big; sid:2200065; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA VLAN header too small "; 
decode-event:vlan.header_too_small; sid:2200066; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IP raw invalid IP version "; 
decode-event:ipraw.invalid_ip_version; sid:2200068; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too 
large"; decode-event:ipv4.frag_too_large; sid:2200069; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation 
overlap"; decode-event:ipv4.frag_overlap; sid:2200070; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too 
large"; decode-event:ipv6.frag_too_large; sid:2200071; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation 
overlap"; decode-event:ipv6.frag_overlap; sid:2200072; rev:1;)
alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; 
ipv4-csum:invalid; sid:2200073; rev:1;)
alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; 
tcpv4-csum:invalid; sid:2200074; rev:1;)
alert udp any any -> any any (msg:"SURICATA UDPv4 invalid checksum"; 
udpv4-csum:invalid; sid:2200075; rev:1;)
alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; 
icmpv4-csum:invalid; sid:2200076; rev:1;)
alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; 
tcpv6-csum:invalid; sid:2200077; rev:1;)
alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; 
udpv6-csum:invalid; sid:2200078; rev:1;)
alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; 
icmpv6-csum:invalid; sid:2200079; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 packet too short"; 
decode-event:ipv6.ipv4_in_ipv6_too_small; sid:2200082; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; 
decode-event:ipv6.ipv4_in_ipv6_wrong_version; sid:2200083; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; 
decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; 
decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)

/etc/suricata/rules/dns-events.rules [Errno 2] No such file or directory: 
u'/etc/suricata/rules/dns-events.rules'
/etc/suricata/rules/files.rules changed:
alert http any any -> any any (msg:"FILE magic -- windows"; 
flow:established,to_client; filemagic:"executable for MS Windows"; filestore; 
sid:18; rev:1;)

/etc/suricata/rules/http-events.rules changed:
alert http any any -> any any (msg:"SURICATA HTTP unknown error"; 
flow:established; app-layer-event:http.unknown_error; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221000; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request field missing colon"; 
flow:established,to_server; app-layer-event:http.request_field_missing_colon; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221002; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response field missing 
colon"; flow:established,to_client; 
app-layer-event:http.response_field_missing_colon; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221020; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid transfer encoding 
value in request"; flow:established,to_server; 
app-layer-event:http.invalid_transfer_encoding_value_in_request; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221005; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid transfer encoding 
value in response"; flow:established,to_client; 
app-layer-event:http.invalid_transfer_encoding_value_in_response; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221006; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid content length field 
in request"; flow:established,to_server; 
app-layer-event:http.invalid_content_length_field_in_request; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221007; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid content length field 
in response"; flow:established,to_client; 
app-layer-event:http.invalid_content_length_field_in_response; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221008; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid server port in 
request"; flow:established,to_server; 
app-layer-event:http.invalid_server_port_in_request; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221011; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid authority port"; 
flow:established; app-layer-event:http.invalid_authority_port; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221012; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request header invalid"; 
flow:established,to_server; app-layer-event:http.request_header_invalid; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221013; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response header invalid"; 
flow:established,to_client; app-layer-event:http.response_header_invalid; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221021; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; 
flow:established,to_server; app-layer-event:http.host_header_ambiguous; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid request field 
folding"; flow:established,to_server; 
app-layer-event:http.invalid_request_field_folding; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221016; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid response field 
folding"; flow:established,to_client; 
app-layer-event:http.invalid_response_field_folding; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221017; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request field too long"; 
flow:established,to_server; app-layer-event:http.request_field_too_long; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response field too long"; 
flow:established,to_client; app-layer-event:http.response_field_too_long; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; 
flow:established,to_server; app-layer-event:http.multipart_no_filedata; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221023; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header"; 
flow:established,to_server; app-layer-event:http.multipart_invalid_header; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024; 
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't 
match TCP port"; flow:established,to_server; 
app-layer-event:http.request_server_port_tcp_port_mismatch; 
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026; 
rev:1;)

/etc/suricata/rules/smtp-events.rules changed:
alert smtp any any -> any any (msg:"SURICATA SMTP max command line len 
exceeded"; flow:established; 
app-layer-event:smtp.max_command_line_len_exceeded; 
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220002; 
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP max reply line len exceeded"; 
flow:established,to_client; app-layer-event:smtp.max_reply_line_len_exceeded; 
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220003; 
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP invalid pipelined sequence"; 
flow:established,to_server; app-layer-event:smtp.invalid_pipelined_sequence; 
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220004; 
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP bdat chunk len exceeded"; 
flow:established; app-layer-event:smtp.bdat_chunk_len_exceeded; 
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220005; 
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP no server welcome message"; 
flow:established,to_client; app-layer-event:smtp.no_server_welcome_message; 
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220006; 
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP data command rejected"; 
flow:established,to_client; app-layer-event:smtp.data_command_rejected; 
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220008; 
rev:1;)

/etc/suricata/rules/stream-events.rules changed:
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake with ack in 
wrong dir"; stream-event:3whs_ack_in_wrong_dir; sid:2210000; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake async wrong 
sequence"; stream-event:3whs_async_wrong_seq; sid:2210001; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake right seq 
wrong ack evasion"; stream-event:3whs_right_seq_wrong_ack_evasion; sid:2210002; 
rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK in 
wrong direction"; stream-event:3whs_synack_in_wrong_direction; sid:2210003; 
rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend 
with different ack"; stream-event:3whs_synack_resend_with_different_ack; 
sid:2210004; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend 
with different seq"; stream-event:3whs_synack_resend_with_diff_seq; 
sid:2210005; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK to 
server on SYN recv"; stream-event:3whs_synack_toserver_on_syn_recv; 
sid:2210006; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK with 
wrong ack"; stream-event:3whs_synack_with_wrong_ack; sid:2210007; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN resend 
different seq on SYN recv"; stream-event:3whs_syn_resend_diff_seq_on_syn_recv; 
sid:2210008; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN to client 
on SYN recv"; stream-event:3whs_syn_toclient_on_syn_recv; sid:2210009; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq 
wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; sid:2210010; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with 
wrong ACK"; stream-event:4whs_synack_with_wrong_ack; sid:2210011; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with 
wrong SYN"; stream-event:4whs_synack_with_wrong_syn; sid:2210012; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake wrong seq"; 
stream-event:4whs_wrong_seq; sid:2210013; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake invalid ack"; 
stream-event:4whs_invalid_ack; sid:2210014; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT ACK out of 
window"; stream-event:closewait_ack_out_of_window; sid:2210015; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT FIN out of 
window"; stream-event:closewait_fin_out_of_window; sid:2210016; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT invalid ACK"; 
stream-event:closewait_invalid_ack; sid:2210017; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING ACK wrong seq"; 
stream-event:closing_ack_wrong_seq; sid:2210018; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING invalid ACK"; 
stream-event:closing_invalid_ack; sid:2210019; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED packet out of 
window"; stream-event:est_packet_out_of_window; sid:2210020; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED retransmission 
packet before last ack"; stream-event:est_pkt_before_last_ack; sid:2210021; 
rev:2;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend"; 
stream-event:est_synack_resend; sid:2210022; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend 
with different ACK"; stream-event:est_synack_resend_with_different_ack; 
sid:2210023; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend 
with different seq"; stream-event:est_synack_resend_with_diff_seq; sid:2210024; 
rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK to 
server"; stream-event:est_synack_toserver; sid:2210025; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend"; 
stream-event:est_syn_resend; sid:2210026; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend with 
different seq"; stream-event:est_syn_resend_diff_seq; sid:2210027; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN to client"; 
stream-event:est_syn_toclient; sid:2210028; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED invalid ack"; 
stream-event:est_invalid_ack; sid:2210029; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN invalid ack"; 
stream-event:fin_invalid_ack; sid:2210030; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 ack with wrong seq"; 
stream-event:fin1_ack_wrong_seq; sid:2210031; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 FIN with wrong seq"; 
stream-event:fin1_fin_wrong_seq; sid:2210032; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 invalid ack"; 
stream-event:fin1_invalid_ack; sid:2210033; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 ack with wrong seq"; 
stream-event:fin2_ack_wrong_seq; sid:2210034; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 FIN with wrong seq"; 
stream-event:fin2_fin_wrong_seq; sid:2210035; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 invalid ack"; 
stream-event:fin2_invalid_ack; sid:2210036; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN out of window"; 
stream-event:fin_out_of_window; sid:2210038; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK with wrong seq"; 
stream-event:lastack_ack_wrong_seq; sid:2210039; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK invalid ACK"; 
stream-event:lastack_invalid_ack; sid:2210040; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong 
seq"; stream-event:timewait_ack_wrong_seq; sid:2210042; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT invalid ack"; 
stream-event:timewait_invalid_ack; sid:2210043; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid 
timestamp"; stream-event:pkt_invalid_timestamp; sid:2210044; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM SHUTDOWN RST invalid ack"; 
stream-event:rst_invalid_ack; sid:2210046; rev:1;)

/etc/suricata/rules/tls-events.rules changed:
alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header"; 
flow:established; app-layer-event:tls.invalid_sslv2_header; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header"; 
flow:established; app-layer-event:tls.invalid_tls_header; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid record type"; 
flow:established; app-layer-event:tls.invalid_record_type; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; 
flow:established; app-layer-event:tls.invalid_handshake_message; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid certificate"; 
flow:established; app-layer-event:tls.invalid_certificate; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate missing element"; 
flow:established; app-layer-event:tls.certificate_missing_element; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230005; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element"; 
flow:established; app-layer-event:tls.certificate_unknown_element; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230006; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length"; 
flow:established; app-layer-event:tls.certificate_invalid_length; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string"; 
flow:established; app-layer-event:tls.certificate_invalid_string; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008; 
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS error message encountered"; 
flow:established; app-layer-event:tls.error_message_encountered; 
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009; 
rev:1;)

/etc/suricata/suricata-debian.yaml changed:
%YAML 1.1
---
host-mode: auto
default-log-dir: /var/log/suricata/
unix-command:
  enabled: no
  #filename: custom.socket
outputs:
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream
      filename: eve.json
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert
        - http:
            extended: yes     # enable this for extended logging information
            # custom allows additional http fields to be included in eve-log
            # the example below adds three additional fields when uncommented
            #custom: [Accept-Encoding, Accept-Language, Authorization]
        - dns
        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: no   # force logging magic on all logged files
            force-md5: no     # force logging of md5 checksums
        #- drop
        - ssh
  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: yes
      filename: unified2.alert
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      #limit: 32mb
      # Sensor ID field of unified2 alerts.
      #sensor-id: 0
      # HTTP X-Forwarded-For support by adding the unified2 extra header that
      # will contain the actual client IP address or by overwriting the source
      # IP address (helpful when inspecting traffic that is being reversed
      # proxied).
      xff:
        enabled: no
        # Two operation modes are available, "extra-data" and "overwrite". Note
        # that in the "overwrite" mode, if the reported IP address in the HTTP
        # X-Forwarded-For header is of a different version of the packet
        # received, it will fall-back to "extra-data" mode.
        mode: extra-data
        # Header name were the actual IP address will be reported, if more than
        # one IP address is present, the last IP address will be the one taken
        # into consideration.
        header: X-Forwarded-For 
  # a line based log of HTTP requests (no alerts)
  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      #extended: yes     # enable this for extended logging information
      #custom: yes       # enabled the custom logging format (defined by 
customformat)
      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B 
%a:%p -> %A:%P"
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # a line based log of TLS handshake parameters (no alerts)
  - tls-log:
      enabled: no  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      #extended: yes # Log extended information like fingerprint
      certs-log-dir: certs # directory to store the certificates files
  # a line based log of DNS requests and/or replies (no alerts)
  - dns-log:
      enabled: no
      filename: dns.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # a line based log to used with pcap file study.
  # this module is dedicated to offline pcap parsing (empty output
  # if used with another kind of input). It can interoperate with
  # pcap parser like wireshark via the suriwire plugin.
  - pcap-info:
      enabled: no
  # Packet log... log packets in pcap format. 2 modes of operation: "normal"
  # and "sguil".
  #
  # In normal mode a pcap file "filename" is created in the default-log-dir,
  # or are as specified by "dir". In Sguil mode "dir" indicates the base 
directory.
  # In this base dir the pcaps are created in th directory structure Sguil 
expects:
  #
  # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
  #
  # By default all packets are logged except:
  # - TCP streams beyond stream.reassembly.depth
  # - encrypted streams after the key exchange
  #
  - pcap-log:
      enabled:  no
      filename: log.pcap
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      limit: 1000mb
      # If set to a value will enable ring buffer mode. Will keep Maximum of 
"max-files" of size "limit"
      max-files: 2000
      mode: normal # normal or sguil.
      #sguil-base-dir: /nsm_data/
      #ts-format: usec # sec or usec second format (default) is filename.sec 
usec is filename.sec.usec
      use-stream-depth: no #If set to "yes" packets seen after reaching stream 
inspection depth are ignored. "no" logs all packets
  # a full alerts log containing much information for signature writers
  # or for investigating suspected false positives.
  - alert-debug:
      enabled: no
      filename: alert-debug.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # alert output to prelude (http://www.prelude-technologies.com/) only
  # available if Suricata has been compiled with --enable-prelude
  - alert-prelude:
      enabled: no
      profile: suricata
      log-packet-content: no
      log-packet-header: yes
  # Stats.log contains data from various counters of the suricata engine.
  # The interval field (in seconds) tells after how long output will be written
  # on the log file.
  - stats:
      enabled: yes
      filename: stats.log
      interval: 8
  # a line based alerts log similar to fast.log into syslog
  - syslog:
      enabled: no
      # reported identity to syslog. If ommited the program name (usually
      # suricata) will be used.
      #identity: "suricata"
      facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
  # a line based information for dropped packets in IPS mode
  - drop:
      enabled: no
      filename: drop.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # output module to store extracted files to disk
  #
  # The files are stored to the log-dir in a format "file.<id>" where <id> is
  # an incrementing number starting at 1. For each file "file.<id>" a meta
  # file "file.<id>.meta" is created.
  #
  # File extraction depends on a lot of things to be fully done:
  # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
  # - http request / response body sizes. Again set to 0 for optimal results.
  # - rules that contain the "filestore" keyword.
  - file-store:
      enabled: no       # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: no   # force logging magic on all stored files
      force-md5: no     # force logging of md5 checksums
      #waldo: file.waldo # waldo file to store the file_id across runs
  # output module to log files tracked in a easily parsable json format
  - file-log:
      enabled: no
      filename: files-json.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      force-magic: no   # force logging magic on all logged files
      force-md5: no     # force logging of md5 checksums
magic-file: /usr/share/file/magic
nfq:
nflog:
    # netlink multicast group
    # (the same as the iptables --nflog-group param)
    # Group 0 is used by the kernel, so you can't use it
  - group: 2
    # netlink buffer size
    buffer-size: 18432
    # put default value here
  - group: default
    # set number of packet to queue inside kernel
    qthreshold: 1
    # set the delay before flushing packet in the queue inside kernel
    qtimeout: 100
    # netlink max buffer size
    max-size: 20000
af-packet:
  - interface: eth0
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    threads: 1
    # Default clusterid.  AF_PACKET will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    cluster-id: 99
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or 
per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_round_robin: round robin load balancing
    #  * cluster_flow: all packets of a given flow are send to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the 
same socket
    cluster-type: cluster_flow
    # In some fragmentation case, the hash can not be computed. If "defrag" is 
set
    # to yes, the kernel will do the needed defragmentation before sending the 
packets.
    defrag: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    use-mmap: yes
    # Ring size will be computed with respect to max_pending_packets and number
    # of threads. You can set manually the ring size in number of packets by 
setting
    # the following value. If you are using flow cluster-type and have really 
network
    # intensive single-flow you could want to set the ring-size independantly 
of the number
    # of threads:
    #ring-size: 2048
    # On busy system, this could help to set it to yes to recover from a packet 
drop
    # phase. This will result in some packets (at max a ring flush) being non 
treated.
    #use-emergency-flush: yes
    # recv buffer size, increase value could improve performance
    # buffer-size: 32768
    # Set to yes to disable promiscuous mode
    # disable-promisc: no
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - kernel: use indication sent by kernel for each packet (default)
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used.
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: kernel
    # BPF filter to apply to this interface. The pcap filter syntax apply here.
    #bpf-filter: port 80 or udp
    # You can use the following variables to activate AF_PACKET tap od IPS mode.
    # If copy-mode is set to ips or tap, the traffic coming to the current
    # interface will be copied to the copy-iface interface. If 'tap' is set, the
    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
    # will not be copied.
    #copy-mode: ips
    #copy-iface: eth1
  - interface: eth1
    threads: 1
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    # buffer-size: 32768
    # disable-promisc: no
  # Put default values here
  - interface: default
    #threads: 2
    #use-mmap: yes
legacy:
  uricontent: enabled
detect-engine:
  - profile: medium
  - custom-values:
      toclient-src-groups: 2
      toclient-dst-groups: 2
      toclient-sp-groups: 2
      toclient-dp-groups: 3
      toserver-src-groups: 2
      toserver-dst-groups: 4
      toserver-sp-groups: 2
      toserver-dp-groups: 25
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000
  # When rule-reload is enabled, sending a USR2 signal to the Suricata process
  # will trigger a live rule reload. Experimental feature, use with care.
  #- rule-reload: true
  # If set to yes, the loading of signatures will be made after the capture
  # is started. This will limit the downtime in IPS mode.
  #- delayed-detect: yes
threading:
  # On some cpu's/architectures it is beneficial to tie individual threads
  # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
  # and each extra CPU/core has one "detect" thread.
  #
  # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
  #
  set-cpu-affinity: no
  # Tune cpu affinity of suricata threads. Each family of threads can be bound
  # on specific CPUs.
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]  # include only these cpus in affinity settings
    - receive-cpu-set:
        cpu: [ 0 ]  # include only these cpus in affinity settings
    - decode-cpu-set:
        cpu: [ 0, 1 ]
        mode: "balanced"
    - stream-cpu-set:
        cpu: [ "0-1" ]
    - detect-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive" # run detect threads in these cpus
        # Use explicitely 3 threads and don't compute number by using
        # detect-thread-ratio variable:
        # threads: 3
        prio:
          low: [ 0 ]
          medium: [ "1-2" ]
          high: [ 3 ]
          default: "medium"
    - verdict-cpu-set:
        cpu: [ 0 ]
        prio:
          default: "high"
    - reject-cpu-set:
        cpu: [ 0 ]
        prio:
          default: "low"
    - output-cpu-set:
        cpu: [ "all" ]
        prio:
           default: "medium"
  #
  # By default Suricata creates one "detect" thread per available CPU/CPU core.
  # This setting allows controlling this behaviour. A ratio setting of 2 will
  # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
  # will result in 4 detect threads. If values below 1 are used, less threads
  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
  # thread being created. Regardless of the setting at a minimum 1 detect
  # thread will always be created.
  #
  detect-thread-ratio: 1.5
cuda:
  # The "mpm" profile.  On not specifying any of these parameters, the engine's
  # internal default values are used, which are same as the ones specified in
  # in the default conf file.
  mpm:
    # The minimum length required to buffer data to the gpu.
    # Anything below this is MPM'ed on the CPU.
    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
    # A value of 0 indicates there's no limit.
    data-buffer-size-min-limit: 0
    # The maximum length for data that we would buffer to the gpu.
    # Anything over this is MPM'ed on the CPU.
    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
    data-buffer-size-max-limit: 1500
    # The ring buffer size used by the CudaBuffer API to buffer data.
    cudabuffer-buffer-size: 500mb
    # The max chunk size that can be sent to the gpu in a single go.
    gpu-transfer-size: 50mb
    # The timeout limit for batching of packets in microseconds.
    batching-timeout: 2000
    # The device to use for the mpm.  Currently we don't support load balancing
    # on multiple gpus.  In case you have multiple devices on your system, you
    # can specify the device to use, using this conf.  By default we hold 0, to
    # specify the first device cuda sees.  To find out device-id associated with
    # the card(s) on the system run "suricata --list-cuda-cards".
    device-id: 0
    # No of Cuda streams used for asynchronous processing. All values > 0 are 
valid.
    # For this option you need a device with Compute Capability > 1.0.
    cuda-streams: 2
mpm-algo: ac
pattern-matcher:
  - b2gc:
      search-algo: B2gSearchBNDMq
      hash-size: low
      bf-size: medium
  - b2gm:
      search-algo: B2gSearchBNDMq
      hash-size: low
      bf-size: medium
  - b2g:
      search-algo: B2gSearchBNDMq
      hash-size: low
      bf-size: medium
  - b3g:
      search-algo: B3gSearchBNDMq
      hash-size: low
      bf-size: medium
  - wumanber:
      hash-size: low
      bf-size: medium
defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60
flow:
  memcap: 64mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
vlan:
  use-for-tracking: true
flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
  tcp:
    new: 60
    established: 3600
    closed: 120
    emergency-new: 10
    emergency-established: 300
    emergency-closed: 20
  udp:
    new: 30
    established: 300
    emergency-new: 10
    emergency-established: 100
  icmp:
    new: 30
    established: 300
    emergency-new: 10
    emergency-established: 100
stream:
  memcap: 32mb
  checksum-validation: yes      # reject wrong csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or 
no set it statically
  reassembly:
    memcap: 128mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    #raw: yes
    #chunk-prealloc: 250
    #segments:
    #  - size: 4
    #    prealloc: 256
    #  - size: 16
    #    prealloc: 512
    #  - size: 112
    #    prealloc: 512
    #  - size: 248
    #    prealloc: 512
    #  - size: 512
    #    prealloc: 512
    #  - size: 768
    #    prealloc: 1024
    #  - size: 1448
    #    prealloc: 1024
    #  - size: 65535
    #    prealloc: 128
host:
  hash-size: 4096
  prealloc: 1000
  memcap: 16777216
logging:
  # The default log level, can be overridden in an output section.
  # Note that debug level logging will only be emitted if Suricata was
  # compiled with the --enable-debug configure option.
  #
  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: info
  # The default output format.  Optional parameter, should default to
  # something reasonable if not provided.  Can be overriden in an
  # output section.  You can leave this out to get the default.
  #
  # This value is overriden by the SC_LOG_FORMAT env var.
  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
  # A regex to filter output.  Can be overridden in an output section.
  # Defaults to empty (no filter).
  #
  # This value is overriden by the SC_LOG_OP_FILTER env var.
  default-output-filter:
  # Define your logging outputs.  If none are defined, or they are all
  # disabled you will get the default - console output.
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: no
      filename: /var/log/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "
mpipe:
  # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
  load-balance: dynamic
  # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 
65536
  iqueue-packets: 2048
  # List of interfaces we will listen on.
  inputs:
  - interface: xgbe2
  - interface: xgbe3
  - interface: xgbe4
  # Relative weight of memory for packets of each mPipe buffer size.
  stack:
    size128: 0
    size256: 9
    size512: 0
    size1024: 0
    size1664: 7
    size4096: 0
    size10386: 0
    size16384: 0
pfring:
  - interface: eth0
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    threads: 1
    # Default clusterid.  PF_RING will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    cluster-id: 99
    # Default PF_RING cluster type. PF_RING can load balance per flow or per 
hash.
    # This is only supported in versions of PF_RING > 4.1.1.
    cluster-type: cluster_flow
    # bpf filter for this interface
    #bpf-filter: tcp
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - rxonly: only compute checksum for packets received by network card.
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto
  # Second interface
  #- interface: eth1
  #  threads: 3
  #  cluster-id: 93
  #  cluster-type: cluster_flow
  # Put default values here
  - interface: default
    #threads: 2
pcap:
  - interface: eth0
    # On Linux, pcap will try to use mmaped capture and will use buffer-size
    # as total of memory used by the ring. So set this to something bigger
    # than 1% of your bandwidth.
    #buffer-size: 16777216
    #bpf-filter: "tcp and port 25"
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto
    # With some accelerator cards using a modified libpcap (like myricom), you
    # may want to have the same number of capture threads as the number of 
capture
    # rings. In this case, set up the threads variable to N to start N threads
    # listening on the same interface.
    #threads: 16
    # set to no to disable promiscuous mode:
    #promisc: no
    # set snaplen, if not set it defaults to MTU if MTU can be known
    # via ioctl call and to full capture if not.
    #snaplen: 1518
  # Put default values here
  - interface: default
    #checksum-checks: auto
pcap-file:
  # Possible values are:
  #  - yes: checksum validation is forced
  #  - no: checksum validation is disabled
  #  - auto: suricata uses a statistical approach to detect when
  #  checksum off-loading is used. (default)
  # Warning: 'checksum-validation' must be set to yes to have checksum tested
  checksum-checks: auto
ipfw:
  # Reinject packets at the specified ipfw rule number.  This config
  # option is the ipfw rule number AT WHICH rule processing continues
  # in the ipfw processing system after the engine has finished
  # inspecting the packet for acceptance.  If no rule number is specified,
  # accepted packets are reinjected at the divert rule which they entered
  # and IPFW rule processing continues.  No check is done to verify
  # this will rule makes sense so care must be taken to avoid loops in ipfw.
  #
  ## The following example tells the engine to reinject packets
  # back into the ipfw firewall AT rule number 5500:
  #
  # ipfw-reinjection-rule-number: 5500
default-rule-path: /etc/suricata/rules
rule-files:
 - local.rules
 - botcc.portgrouped.rules
 - botcc.rules
 - ciarmy.rules
 - compromised.rules
 - decoder-events.rules
 - drop.rules
 - dshield.rules
 - emerging-activex.rules
 - emerging-attack_response.rules
 - emerging-chat.rules
 - emerging-current_events.rules
 - emerging-dns.rules
 - emerging-dos.rules
 - emerging-exploit.rules
 - emerging-ftp.rules
 - emerging-games.rules
 - emerging-icmp_info.rules
 - emerging-imap.rules
 - emerging-inappropriate.rules
 - emerging-info.rules
 - emerging-malware.rules
 - emerging-misc.rules
 - emerging-mobile_malware.rules
 - emerging-netbios.rules
 - emerging-p2p.rules
 - emerging-policy.rules
 - emerging-pop3.rules
 - emerging-rpc.rules
 - emerging-scada.rules
 - emerging-scan.rules
 - emerging-shellcode.rules
 - emerging-smtp.rules
 - emerging-snmp.rules
 - emerging-sql.rules
 - emerging-telnet.rules
 - emerging-tftp.rules
 - emerging-trojan.rules
 - emerging-user_agents.rules
 - emerging-voip.rules
 - emerging-web_client.rules
 - emerging-web_server.rules
 - emerging-web_specific_apps.rules
 - emerging-worm.rules
 - files.rules
 - http-events.rules
 - smtp-events.rules
 - stream-events.rules
 - tls-events.rules
 - tor.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
vars:
  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:
    HOME_NET: "[192.168.0.0/16]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
  # Holds the port group vars that would be passed in a Signature.
  # These would be retrieved during the Signature port parsing stage.
  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
action-order:
  - pass
  - drop
  - reject
  - alert
host-os-policy:
  # Make the default policy windows.
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: [192.168.0.1, 192.168.0.4]
  old-solaris: []
  solaris: ["::1"]
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []
asn1-max-frames: 256
engine-analysis:
  # enables printing reports for fast-pattern for every rule.
  rules-fast-pattern: yes
  # enables printing reports for each rule
  rules: yes
pcre:
  match-limit: 3500
  match-limit-recursion: 1500
app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443
      #no-reassemble: yes
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139
    # smb2 detection is disabled internally inside the engine.
    #smb2:
    #  enabled: yes
    dns:
      # memcaps. Globally and per flow/state.
      #global-memcap: 16mb
      #state-memcap: 512kb
      # How many unreplied DNS requests are considered a flood.
      # If the limit is reached, app-layer-event:dns.flooded; will match.
      #request-flood: 500
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      # memcap: 64mb
      
###########################################################################
      # Configure libhtp.
      #
      #
      # default-config:           Used when no server-config matches
      #   personality:            List of personalities used by default
      #   request-body-limit:     Limit reassembly of request body for 
inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for 
inspection
      #                           by file_data, http_server_body & pcre /Q 
option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #
      # server-config:            List of server configurations to use if 
address matches
      #   address:                List of ip addresses or networks for this 
block
      #   personalitiy:           List of personalities used by this block
      #   request-body-limit:     Limit reassembly of request body for 
inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for 
inspection
      #                           by file_data, http_server_body & pcre /Q 
option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #
      #   uri-include-all:        Include all parts of the URI. By default the
      #                           'scheme', username/password, hostname and port
      #                           are excluded. Setting this option to true adds
      #                           all of them to the normalized uri as inspected
      #                           by http_uri, urilen, pcre with /U and the 
other
      #                           keywords that inspect the normalized uri.
      #                           Note that this does not affect http_raw_uri.
      #                           Also, note that including all was the default 
in
      #                           1.4 and 2.0beta1.
      #
      #   meta-field-limit:       Hard size limit for request and response size
      #                           limits. Applies to request line and headers,
      #                           response line and headers. Does not apply to
      #                           request or response bodies. Default is 18k.
      #                           If this limit is reached an event is raised.
      #
      # Currently Available Personalities:
      #   Minimal
      #   Generic
      #   IDS (default)
      #   IIS_4_0
      #   IIS_5_0
      #   IIS_5_1
      #   IIS_6_0
      #   IIS_7_0
      #   IIS_7_5
      #   Apache_2
      
###########################################################################
      libhtp:
         default-config:
           personality: IDS
           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 3072
           response-body-limit: 3072
           # inspection limits
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 32kb
           response-body-inspect-window: 4kb
           # Take a random value for inspection sizes around the specified 
value.
           # This lower the risk of some evasion technics but could lead
           # detection change between runs. It is set to 'yes' by default.
           #randomize-inspection-sizes: yes
           # If randomize-inspection-sizes is active, the value of various
           # inspection size will be choosen in the [1 - range%, 1 + range%]
           # range
           # Default value of randomize-inspection-range is 10.
           #randomize-inspection-range: 10
           # decoding
           double-decode-path: no
           double-decode-query: no
         server-config:
           #- apache:
           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
           #    personality: Apache_2
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no
           #- iis7:
           #    address:
           #      - 192.168.0.0/24
           #      - 192.168.10.0/24
           #    personality: IIS_7_0
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no
profiling:
  # Run profiling for every xth packet. The default is 1, which means we
  # profile every packet. If set to 1000, one packet is profiled for every
  # 1000 received.
  #sample-rate: 1000
  # rule profiling
  rules:
    # Profiling can be disabled here, but it will still have a
    # performance impact if compiled in.
    enabled: yes
    filename: rule_perf.log
    append: yes
    # Sort options: ticks, avgticks, checks, matches, maxticks
    sort: avgticks
    # Limit the number of items printed at exit.
    limit: 100
  # per keyword profiling
  keywords:
    enabled: yes
    filename: keyword_perf.log
    append: yes
  # packet profiling
  packets:
    # Profiling can be disabled here, but it will still have a
    # performance impact if compiled in.
    enabled: yes
    filename: packet_stats.log
    append: yes
    # per packet csv output
    csv:
      # Output can be disabled here, but it will still have a
      # performance impact if compiled in.
      enabled: no
      filename: packet_stats.csv
  # profiling of locking. Only available when Suricata was built with
  # --enable-profiling-locks.
  locks:
    enabled: no
    filename: lock_stats.log
    append: yes
coredump:
  max-dump: unlimited
napatech:
    # The Host Buffer Allowance for all streams
    # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
    hba: -1
    # use_all_streams set to "yes" will query the Napatech service for all 
configured
    # streams and listen on all of them. When set to "no" the streams config 
array
    # will be used.
    use-all-streams: yes
    # The streams to listen on
    streams: [1, 2, 3]


-- no debconf information

--- End Message ---
--- Begin Message ---
Hi,

upstream confirmed that suricata 2.x is considered EOL. No support
exists for that.

They report that most issues with that upgrade path were around
changed vlan handling.

And they suggest this bug being closed, as we can do little more. So,
doing it now.


Thanks for reporting and feel free to reopen if necessary.
regards.

--- End Message ---

Reply via email to