Every night at 5:00 am these log messages can be found in System Logs / Intrusion Prevention:
|05:00:46|suricata:|Signature(s) loaded, Detect thread(s) activated.|
|05:00:46|suricata:|rule reload complete|
|05:00:25|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘dcerpc.rpcnetlogon’ is checked but no t set. Checked in 2030870 and 6 other sigs|
|05:00:25|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.gocd.auth’ is checked but not set. Checked in 2034333 and 0 other sigs|
|05:00:25|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.IE7.NoRef.NoCookie’ is checked but not set. Checked in 2024192 and 1 other sigs|
|05:00:25|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.pdf.in.http’ is checked but not se t. Checked in 2017790 and 0 other sigs|
|05:00:25|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient’ is checked but no t set. Checked in 2015658 and 4 other sigs|
|05:00:25|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.JavaArchiveOrClass’ is checked but not set. Checked in 2017772 and 1 other sigs|
|05:00:25|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.binary’ is checked but not se t. Checked in 2025195 and 1 other sigs|
|05:00:23|suricata:|rule reload starting|
|05:00:23|suricata:|all 4 packet processing threads, 2 management threads initialized, engine starte d.|
|05:00:22|suricata:|[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active|
|05:00:22|suricata:|This is Suricata version 5.0.8 RELEASE running in SYSTEM mode|
|05:00:21|suricata:|(W-NFQ#3) Verdict: Accepted 96030, Dropped 155, Replaced 0|
|05:00:21|suricata:|(W-NFQ#3) Treated: Pkts 96185, Bytes 53052960, Errors 0|
|05:00:21|suricata:|(W-NFQ#2) Verdict: Accepted 101666, Dropped 144, Replaced 0|
|05:00:21|suricata:|(W-NFQ#2) Treated: Pkts 101810, Bytes 60902784, Errors 0|
|05:00:21|suricata:|(W-NFQ#1) Verdict: Accepted 149838, Dropped 203, Replaced 0|
|05:00:21|suricata:|(W-NFQ#1) Treated: Pkts 150041, Bytes 79013075, Errors 0|
|05:00:21|suricata:|(W-NFQ#0) Verdict: Accepted 112144, Dropped 189, Replaced 0|
|05:00:21|suricata:|(W-NFQ#0) Treated: Pkts 112333, Bytes 59401171, Errors 0|
|05:00:21|suricata:|Signal Received. Stopping engine.|
Is a cronjob triggering this and what is it good for anyway? Reloading of rules is processed earlier at night:
|01:27:00|suricata:|rule reload complete|
|01:26:39|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘dcerpc.rpcnetlogon’ is checked but no t set. Checked in 2030870 and 6 other sigs|
|01:26:39|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.gocd.auth’ is checked but not set. Checked in 2034333 and 0 other sigs|
|01:26:39|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.IE7.NoRef.NoCookie’ is checked but not set. Checked in 2024192 and 1 other sigs|
|01:26:39|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.pdf.in.http’ is checked but not se t. Checked in 2017790 and 0 other sigs|
|01:26:39|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient’ is checked but no t set. Checked in 2015658 and 4 other sigs|
|01:26:39|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.JavaArchiveOrClass’ is checked but not set. Checked in 2017772 and 1 other sigs|
|01:26:39|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.binary’ is checked but not se t. Checked in 2025195 and 1 other sigs|
|01:26:37|suricata:|rule reload starting|
Also every night the ISP router is going down at 5:00 am for about 5 minutes by purpose. Does this correlate and trigger the event on IPFires suricata engine?