After installation, Suricata writes only statistics to eve

Help
1

Hi! please tell me what I configured wrong, after installing Suricata writes only statistics to eve, fast is also empty. At the same time, there is data in log.pcap. Protected networks are configured, Suricata works in IDS mode. Monitoring interface in promisc mode. I rearranged it 3 times, checked all the libraries

2

capture.kernel_packets | Total | 8468034
capture.kernel_drops | Total | 3796277
decoder.pkts | Total | 4686470
decoder.bytes | Total | 4846564691
decoder.invalid | Total | 319837
decoder.ipv4 | Total | 8912410
decoder.ipv6 | Total | 65
decoder.ethernet | Total | 9192558
decoder.gre | Total | 4366631
decoder.avg_pkt_size | Total | 1034
decoder.max_pkt_size | Total | 1534
decoder.erspan | Total | 4366631
decoder.event.ipv4.pkt_too_small | Total | 124397
decoder.event.ipv4.trunc_pkt | Total | 4421382
decoder.event.ipv6.trunc_pkt | Total | 65
flow.mgr.full_hash_pass | Total | 1
flow.spare | Total | 10000
tcp.memuse | Total | 2424832
tcp.reassembly_memuse | Total | 393216
flow.memuse | Total | 7394304
capture.kernel_packets | RX#01-ens160 | 8468032
capture.kernel_drops | RX#01-ens160 | 3796277
decoder.pkts | RX#01-ens160 | 4686468
decoder.bytes | RX#01-ens160 | 4846564589
decoder.invalid | RX#01-ens160 | 319837
decoder.ipv4 | RX#01-ens160 | 8912410
decoder.ipv6 | RX#01-ens160 | 65
decoder.ethernet | RX#01-ens160 | 9192556
decoder.gre | RX#01-ens160 | 4366631
decoder.avg_pkt_size | RX#01-ens160 | 1034
decoder.max_pkt_size | RX#01-ens160 | 1534
decoder.erspan | RX#01-ens160 | 4366631
capture.kernel_packets | RX#04-ens160 | 2
decoder.pkts | RX#04-ens160 | 2
decoder.bytes | RX#04-ens160 | 102
decoder.ethernet | RX#04-ens160 | 2
decoder.avg_pkt_size | RX#04-ens160 | 51
decoder.max_pkt_size | RX#04-ens160 | 60
decoder.event.ipv4.pkt_too_small | W#01 | 31124
decoder.event.ipv4.trunc_pkt | W#01 | 1119012
decoder.event.ipv6.trunc_pkt | W#01 | 19
decoder.event.ipv4.pkt_too_small | W#02 | 31029
decoder.event.ipv4.trunc_pkt | W#02 | 1091449
decoder.event.ipv6.trunc_pkt | W#02 | 15
decoder.event.ipv4.pkt_too_small | W#03 | 31244
decoder.event.ipv4.trunc_pkt | W#03 | 1119180
decoder.event.ipv6.trunc_pkt | W#03 | 17
decoder.event.ipv4.pkt_too_small | W#04 | 31000
decoder.event.ipv4.trunc_pkt | W#04 | 1091741
decoder.event.ipv6.trunc_pkt | W#04 | 14
flow.mgr.full_hash_pass | FM#01 | 1
flow.spare | FM#01 | 10000
tcp.memuse | Global | 2424832
tcp.reassembly_memuse | Global | 393216
flow.memuse | Global | 7394304

3

it turned out that suricata does not process all the traffic, but only part of it, but I can’t find the reason and the pattern

4

Moreover, there is no traffic from only one site via ERSPAN, although I see it in tcpdump. Please tell me where the problem may be

5

I made the alert rule icmp any any → $HOME_NET any (msg:“ICMP connection attempt”; id:1000002; rev:1;), specified in the protected networks ip suricata (10.7.84.2/24) and the ip of the server from the problem site (10.2.2.150). When I ping suricata (10.7.84.2/24), I see it in eve, and when 10.2.2.150, nothing is displayed in the log, although I saw this traffic in pcap. Protected networks HOME_NET: “[10.2.2.0/16,10.7.84.2/24,10.2.2.150/16]”. Help me understand what’s wrong, which way to move

6

Hello,
Could you tell us more about your deployment?

What Suricata version? (suricata -V will display this information)

You stated “Suricata work in IDS mode” – does this mean you’re seeing alerts when Suricata’s in IDS mode and you’re having issues with IPS mode?

What’s the network topology?

What type of machine (cpu count, nics, memory)?

What’s your Suri configuration?