Suricata as IDS + Evebox work and get updated very smoothly, except that I recently noticed that some alerts generated in Suricata can be seen in Suricata logs (/var/log/suricata.log-YYYYMMDD) but not in Eve/json logs (/var/log/eve.json-YYYYMMDD).
Having looked at the alerts in the suricata.log files and compared them with what can be seen in Evebox, the category of alerts that are not reported are linked to SSH traffic - which I haven’t been causing back then.
For sure, this one rule set is not reported (with the various data thresholds - 10 Mb, 50 Mb and 100 Mb):
Error: detect: error parsing signature "alert ssh any any → $EXTERNAL_NET any (msg:“ - Over 50MB uploaded via SSH / SFTP to public IP address - Possible data exflitration ”
I regularly check the status of Suricata and Evebox, and they have been running consistently. The configuration file of Suricata is pretty much the default one (except for i/f name and additional local rules).
This line from suricata.log not an alert, but an error message – Suricata can not load this particular rule into its running detection setup and is complaining about it. That is also why it never triggers, i.e. why you do not see alerts for it in eve.json. The lines before or after that line in suricata.log will also give you more information on why the rule could not be parsed.
BTW Suricata never reports alerts in suricata.log, that file is only for status messages from Suricata itself. Alerts are only in eve.json or fast.log (if you have that configured).
Hi @satta, many thanks for your help and for clarification
Just to understand this issue a step further, when you get such an error, what happens with the rule : is it still operational or is it disabled ?
This is the kind of full error message error that was in journalctl - I believe the two lines may be linked :
Jun 25 09:35:37 fedora suricata[2987]: E: detect-parse: unknown rule keyword ‘flow.bytes_toserver’.
Jun 25 09:35:37 fedora suricata[2987]: E: detect: error parsing signature “alert ssh any any → $EXTERNAL_NET any (msg:“ - Over 50MB uploaded via SSH / SFTP to public IP address - Possible data exflitration ”; flow:to_server, established; threshold: type limit, track by_src,count 1, seconds 60; flow.bytes_toserver:>=50000000; metadata:created_at 2024_02_18, updated_at 2024_02_18; sid:3301138; rev:1; classtype:policy-violation;)” from file /var/lib/suricata/rules/pawpatrules.rules at line 9717
FYI, the rule set was imported as a local file some time ago ; after your response, I removed the local file and activated it via suricata-update, and there is no more error message in journalctl.
If Suricata cannot parse a rule - which this error indicates, the rule will not be loaded. So in practice this is similar to being disabled - although not the same.
ps: I like Suricata very much, I think it’s a great product (a lot to learn about it) and the forum is really cool with very experienced people who are keen to help : that’s fantastic! Thanks very much.
-
Over 50MB uploaded via SSH / SFTP to public IP address - Possible data exflitration
”
