Cannot get alerts from pcaps

Help
1

Hi
I’ve been playing with Suricata and have written a couple of rules. They work fine when running Suricata live on a network interface. However, if I capture the traffic and run Suricata against the pcap then no alerts are generated.

For example this rule:

alert dns $HOME_NET any -> any any (msg:"Facebook not allowed"; dns_query; content: "facebook.com"; nocase; endswith; classtype: policy-violation; sid: 42;)

Works perfectly when capturing on a nic, but not when reading a pcap. I also tried using ‘any any -> any any’ but that didn’t work either.

I run Suricata like this:

suricata -vvv -r /facebook.pcap -S /myrules.rules
...
Loading rule file: /myrules.rules
1 rule files processed. 3 rules successfully loaded, 0 rules failed
...
Starting file run for /facebook.pcap
pcap file /facebook.pcap end of file reached (pcap err code 0)
...
3 flows processed
Pcap-file module read 1 files, 6 packets, 503 bytes
Alerts: 0
...

The pcap contains this:
$ tshark -r facebook.pcap
1 0.000000 192.168.1.103 → 8.8.8.8 DNS 72 Standard query 0xc3a7 A facebook.com
2 0.017943 8.8.8.8 → 192.168.1.103 DNS 88 Standard query response 0xc3a7 A facebook.com A 157.240.200.35
3 0.018770 192.168.1.103 → 8.8.8.8 DNS 72 Standard query 0x1334 AAAA facebook.com
4 0.037370 8.8.8.8 → 192.168.1.103 DNS 100 Standard query response 0x1334 AAAA facebook.com AAAA 2a03:2880:f153:82:face:b00c:0:25de
5 0.037711 192.168.1.103 → 8.8.8.8 DNS 72 Standard query 0x9961 MX facebook.com
6 0.054699 8.8.8.8 → 192.168.1.103 DNS 99 Standard query response 0x9961 MX facebook.com MX 10 smtpin.vvv.facebook.com

Why no alerts?
I also tried having a lua rule. I simply return 1 from the match function and also print a message.
The message is printed when running suricata but still, no alerts.

What am I doing wrong?

2

Welcome to our forum! :slight_smile:

Could you please show the full log after running this?

3

suricata.log (25.7 KB)
facebook.pcap (623 Bytes)

Apparently I’m not allowed to upload the rules file, but here it is in its entirety:

alert dns $HOME_NET any -> any any (msg:"Facebook not allowed"; dns_query; content: "facebook.com"; nocase; endswith; classtype: policy-violation; sid: 42;)

alert http $HOME_NET any -> any any (msg:"Bozo Clown not allowed"; content: "bozo"; http_user_agent; content: "clown"; http_host; classtype: policy-violation; sid: 43;)

alert tcp any any -> any any (msg: "Port scanning"; flags: AR; detection_filter: track by_dst, count 10, seconds 10; classtype: network-scan; sid: 44;)
4

huh…I don’t know why but if I add --set stats.enabled=true then I get my alerts.
Does that make any sense?

5

No, that doesn’t make any sense.

With your pcap and rules, I get 3 alerts – regardless of whether stats are enabled or not.

What version of Suricata are you using?

6 
$ suricata | head -n 1
Suricata 5.0.3
$ suricata -vvv -r /facebook.pcap -S /myrules.rules | grep Alerts
1/7/2020 -- 13:20:32 - <Error> - [ERRCODE: SC_ERR_STATS_LOG_GENERIC(278)] - eve.stats: stats are disabled globally: set stats.enabled to true. See https://suricata.readthedocs.io/en/suricata-5.0.3/configuration/suricata-yaml.html#stats
1/7/2020 -- 13:20:33 - <Info> - Alerts: 0
$ suricata -vvv -r /facebook.pcap -S /myrules.rules --set stats.enabled=true | grep Alerts
1/7/2020 -- 13:20:36 - <Info> - Alerts: 3
$
7

Hi Robert,

Check fast.log or eve.json for the alerts.

cat /path/to/fast.log
cat /path/to//eve.json |jq 'select (.event_type=="alert")'