Cannot get alerts from pcaps

I’ve been playing with Suricata and have written a couple of rules. They work fine when running Suricata live on a network interface. However, if I capture the traffic and run Suricata against the pcap then no alerts are generated.

For example this rule:

alert dns $HOME_NET any -> any any (msg:"Facebook not allowed"; dns_query; content: ""; nocase; endswith; classtype: policy-violation; sid: 42;)

Works perfectly when capturing on a nic, but not when reading a pcap. I also tried using ‘any any -> any any’ but that didn’t work either.

I run Suricata like this:

suricata -vvv -r /facebook.pcap -S /myrules.rules
Loading rule file: /myrules.rules
1 rule files processed. 3 rules successfully loaded, 0 rules failed
Starting file run for /facebook.pcap
pcap file /facebook.pcap end of file reached (pcap err code 0)
3 flows processed
Pcap-file module read 1 files, 6 packets, 503 bytes
Alerts: 0

The pcap contains this:
$ tshark -r facebook.pcap
1 0.000000 → DNS 72 Standard query 0xc3a7 A
2 0.017943 → DNS 88 Standard query response 0xc3a7 A A
3 0.018770 → DNS 72 Standard query 0x1334 AAAA
4 0.037370 → DNS 100 Standard query response 0x1334 AAAA AAAA 2a03:2880:f153:82:face:b00c:0:25de
5 0.037711 → DNS 72 Standard query 0x9961 MX
6 0.054699 → DNS 99 Standard query response 0x9961 MX MX 10

Why no alerts?
I also tried having a lua rule. I simply return 1 from the match function and also print a message.
The message is printed when running suricata but still, no alerts.

What am I doing wrong?

Welcome to our forum! :slight_smile:

Could you please show the full log after running this?

suricata.log (25.7 KB)
facebook.pcap (623 Bytes)

Apparently I’m not allowed to upload the rules file, but here it is in its entirety:

alert dns $HOME_NET any -> any any (msg:"Facebook not allowed"; dns_query; content: ""; nocase; endswith; classtype: policy-violation; sid: 42;)

alert http $HOME_NET any -> any any (msg:"Bozo Clown not allowed"; content: "bozo"; http_user_agent; content: "clown"; http_host; classtype: policy-violation; sid: 43;)

alert tcp any any -> any any (msg: "Port scanning"; flags: AR; detection_filter: track by_dst, count 10, seconds 10; classtype: network-scan; sid: 44;)

huh…I don’t know why but if I add --set stats.enabled=true then I get my alerts.
Does that make any sense?

No, that doesn’t make any sense.

With your pcap and rules, I get 3 alerts – regardless of whether stats are enabled or not.

What version of Suricata are you using?

$ suricata | head -n 1
Suricata 5.0.3
$ suricata -vvv -r /facebook.pcap -S /myrules.rules | grep Alerts
1/7/2020 -- 13:20:32 - <Error> - [ERRCODE: SC_ERR_STATS_LOG_GENERIC(278)] - eve.stats: stats are disabled globally: set stats.enabled to true. See
1/7/2020 -- 13:20:33 - <Info> - Alerts: 0
$ suricata -vvv -r /facebook.pcap -S /myrules.rules --set stats.enabled=true | grep Alerts
1/7/2020 -- 13:20:36 - <Info> - Alerts: 3

Hi Robert,

Check fast.log or eve.json for the alerts.

cat /path/to/fast.log
cat /path/to//eve.json |jq 'select (.event_type=="alert")'