Suricata debugging
If you’re running into issues with Suricata, it may be worth spending some time looking at the debugging options.
To enable the debugging code, pass “–enable-debug” to configure.
./configure –enable-debug
And make & make install again. Make sure that during compilation you see -DDEBUG in the gcc commands.
Then to really enable it at runtime, pass the SC_LOG_LEVEL
SC_LOG_LEVEL=Debug
Depending on how you run the engine, this will output massive amounts of debugging info. Thats why we added a pcre regex filter option.
SC_LOG_OP_FILTER=regex
The regex currently is case sensitive. It will be matched against the full debug line. For example if you want to want to see only output related to the HTP module do something like:
SC_LOG_LEVEL=Debug SC_LOG_OP_FILTER=“htp” suricata -c suricata.yaml -r /path/to/file.pcap
Or maybe you want the stream messages as well:
SC_LOG_LEVEL=Debug SC_LOG_OP_FILTER="(htp|stream)" suricata -c suricata.yaml -r /path/to/file.pcap
You can also control the logging format by passing the SC_LOG_FORMAT environment variable. By default it’s set to “[%i] %t - (%f:%l) <%d> (%n) – “.
The following format specifiers are available:
t timestamp p process id (pid) i thread id m thread module name d log level f filename l line number n function name
Example:
SC_LOG_FORMAT=”[%i] %t - (%f:%l) <%d> (%n) – "
Putting it all together:
SC_LOG_LEVEL=Debug SC_LOG_FORMAT=”[%i] %t - (%f:%l) <%d> (%n) – " SC_LOG_OP_FILTER="(htp|stream)" suricata -c suricata.yaml -r /path/to/file.pcap
If you have any questions or suggestions, let me know!