Hello! Everyone,
I wrote a rule to catch ftp-data packets ,but it doesn’t seem to be working.
My suricata version is 7.0.0-beta1 RELEASE.
My rule is
alert ftp-data any any -> any any (msg:"FTP-DATA protocol"; sid:2022103101; rev:1;)
Here’s my relevant configuration
app-layer:
protocols:
......
ftp:
enabled: yes
# memcap: 64mb
My test pacpng
test_ftp.pcapng (281.2 KB)
Can someone help me? Thank you
you may have to run suricata with --runmode=single to make sure the order of the packet is maintained. The control flow packets need to be processed first so the expectation for the data flow can be set up in time.
Thanks!Your advice is very useful to me!
But can I only use --runmode=single to get ftp-data packets?
Whether this has an impact on processing performance?
Yes, this will make pcap processing slower. In live traffic you shouldn’t need this, as there threads are far more in sync wrt processing time and order.
Btw, if you’re willing to experiment, you could try this development code:
And there is another problem here,
I run command suricata -r test.pacp --runmode=single to replay packets can capture ftp-data packets.
But I run suricata to sniff packets from interface card.And I use tcpreplay to replay the pacp file.I can not capture ftp-data packets.This is the command I use to run suricata:
suricata -c /usr/local/etc/suricata/suricata.yaml -i ens192 -l /home/suricata/log/ --runmode=single
This is suricata.log,the first log is running in pcap offline mode,the second log is running in sniff packets from interface.
3/11/2022 -- 14:01:44 - <Notice> - This is Suricata version 6.0.8 RELEASE running in USER mode
3/11/2022 -- 14:01:44 - <Info> - CPUs/cores online: 24
3/11/2022 -- 14:01:44 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
3/11/2022 -- 14:01:44 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
3/11/2022 -- 14:01:44 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
3/11/2022 -- 14:01:44 - <Info> - fast output device (regular) initialized: fast.log
3/11/2022 -- 14:01:44 - <Info> - eve-log output device (regular) initialized: eve.json
3/11/2022 -- 14:01:44 - <Info> - stats output device (regular) initialized: stats.log
3/11/2022 -- 14:01:44 - <Info> - 1 rule files processed. 3 rules successfully loaded, 0 rules failed
3/11/2022 -- 14:01:44 - <Info> - Threshold config parsed: 0 rule(s) found
3/11/2022 -- 14:01:44 - <Info> - 3 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 3 inspect application layer, 0 are decoder event only
3/11/2022 -- 14:01:44 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
3/11/2022 -- 14:01:44 - <Info> - Starting file run for /home/suricata/pcap/whole_ftp.pcapng
3/11/2022 -- 14:01:44 - <Info> - More than 1/10th of packets have an invalid checksum, assuming checksum offloading is used (465/1000)
3/11/2022 -- 14:01:44 - <Info> - pcap file /home/suricata/pcap/whole_ftp.pcapng end of file reached (pcap err code 0)
3/11/2022 -- 14:01:44 - <Notice> - Signal Received. Stopping engine.
3/11/2022 -- 14:01:44 - <Info> - time elapsed 0.035s
3/11/2022 -- 14:01:44 - <Notice> - Pcap-file module read 1 files, 2284 packets, 773155 bytes
3/11/2022 -- 14:01:44 - <Info> - Alerts: 450
3/11/2022 -- 14:01:44 - <Info> - cleaning up signature grouping structure... complete
3/11/2022 -- 14:24:05 - <Notice> - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
3/11/2022 -- 14:24:05 - <Info> - CPUs/cores online: 24
3/11/2022 -- 14:24:05 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
3/11/2022 -- 14:24:05 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
3/11/2022 -- 14:24:05 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
3/11/2022 -- 14:24:05 - <Info> - Found an MTU of 1500 for 'ens192'
3/11/2022 -- 14:24:05 - <Info> - Found an MTU of 1500 for 'ens192'
3/11/2022 -- 14:24:05 - <Info> - fast output device (regular) initialized: fast.log
3/11/2022 -- 14:24:05 - <Info> - eve-log output device (regular) initialized: eve.json
3/11/2022 -- 14:24:05 - <Info> - stats output device (regular) initialized: stats.log
3/11/2022 -- 14:24:05 - <Info> - Running in live mode, activating unix socket
3/11/2022 -- 14:24:05 - <Info> - 1 rule files processed. 3 rules successfully loaded, 0 rules failed
3/11/2022 -- 14:24:05 - <Info> - Threshold config parsed: 0 rule(s) found
3/11/2022 -- 14:24:05 - <Info> - 3 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 3 inspect application layer, 0 are decoder event only
3/11/2022 -- 14:24:05 - <Info> - Running in live mode, activating unix socket
3/11/2022 -- 14:24:05 - <Info> - Using unix socket file '/usr/local/var/run/suricata/suricata-command.socket'
3/11/2022 -- 14:24:05 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
3/11/2022 -- 14:24:05 - <Info> - All AFP capture threads are running.
3/11/2022 -- 14:24:10 - <Notice> - Signal Received. Stopping engine.
3/11/2022 -- 14:24:10 - <Info> - time elapsed 4.709s
3/11/2022 -- 14:24:11 - <Info> - Alerts: 0
3/11/2022 -- 14:24:11 - <Info> - cleaning up signature grouping structure... complete
3/11/2022 -- 14:24:11 - <Notice> - Stats for 'ens192': pkts: 2284, drop: 0 (0.00%), invalid chksum: 1097
You don’t need the single runmode in the second mode, please share your config and also how you run tcpreplay.
Yes,in the second mode I run suricata with this commond:
suricata -c /usr/local/etc/suricata/suricata.yaml -i ens192 -l /home/suricata/log/ --runmode=single
I am sure my suricata can recognize ftp-data:
app-layer:
protocols:
......
ftp:
enabled: yes
# memcap: 64mb
What other config would you like to see.
I run tcpreplay with command:
tcpreplay -i eth1 whole_ftp.pcapng
And I am sure suricata can capture the pcapng.
Here is another interesting test.
I am running tcpdump -i ens192 -w /home/ftp_capture3.pcap and suricata -c /usr/local/etc/suricata/suricata.yaml -i ens192 -l /home/suricata/log/ --runmode single at the same time.
But suricata has no alerts.
Then I run suricata -r /home/ftp_capture3.pcap --runmode=single with the pcap of tcpdump,I got alerts.
This is why I asked for the whole suricata.yaml config to make sure no other option is interfering.
Yes,thanks for your help,I followed julien’s advice to run suricata in live traffic,it works, so this problem does not affect my use.
But I still want to understand why is this happening——the ftp-pcap replay via “tcpreplay” still doesn’t work.
This is my whole suricata.yaml config.
suricata.yaml (73.1 KB)