Differences in Packet Capture and Protocol Analysis Processing Between Versions

Help
, , ,
1

Upon comparison of the suricata.yaml files in the Suricata5 and Suricata7 series, I noticed differences in the sections that appear to be the settings for packet capture and protocol analysis processing. I would like to know if these differences are part of the reason why the count of the alerts detected in the fast.log files differs between the Suricata5 and Suricata7 series for the same time period.

To provide some context, we have two virtual machines with Suricata set up to monitor the same network. One machine runs on CentOS7.9 with Suricata version “5.0.3”, the other on Ubuntu22.04 with Suricata version “7.0.4”. Both Suricatas were installed by making the source code version. The setup is identical, and the default configuration files are used. However, there are alerts that only appear in the fast.log file of the Suricata5 VM, and some are unique to the Suricata7 VM. Please note, we plan to discontinue operation with the Suricata5 series VM and will solely use the Suricata7 VM in the future.

Now, regarding the main issue, upon comparing the suricata.yaml files from the Suricata5 and Suricata7 series, the following settings showed differences:
dpdk
app-layer

dpdk is a library for high-speed packet processing and as I understand it, its settings are in the section that configures the method of network traffic capture. The section where app-layer settings can be found, by my understanding, is the one for setting up protocol analysis. However, the dpdk configuration settings were not present in the suricata.yaml file of the Suricata5 series but were noted in the Suricata7 series. In the app-layer section, there were several changes in the supported protocols between the Suricata5 and Suricata7 series.
From the above, I assumed that the Suricata5 and Suricata7 differ in their packet capture and protocol analysis processings and that these differences could partially contribute to the variable alert counts between the Suricata5 and Suricata7 fast.log files for the same time period. I’m hoping for confirmation whether or not this understanding is correct? Thank you in advance.

2

Hello there,

considering you are comparing two different major Suricata versions (5.0.x and 7.0.x), differences such as more application layer protocols available and different packet capture modes available - these are what you’ve noticed and highlighted from the suricata.yaml file. Whenever we release a new [major] version, we list what is new, and we also update the Upgrading section in our documentation, to help people know what to expect. See for instance:

Aside from that, even from minor versions updates, sometimes there will be bug fixes that could eventually lead to a different in the alerts that are triggered - if there were any false positives being triggered before, for instance.

To truly know what could be leading to the differences that you see, more details would be needed - such as what mode you’re running Suricata, how you run it, what are the alerts that are triggered - even the rule sets that you are using can be different from 5 to 7, depending on your setup.

It’s really good that you’re planning on upgrading from 5 to 7, as 5 has been end of life for almost 2 years now (NEW: Suricata 6.0.6 and 5.0.10 releases! - Suricata). :slight_smile:

One last thing I want to add is that when trying to diagnose anything, the eve.log file will have a lot more info for you to dig from, in comparison to fast.log - this one is good to, say, check if you’re getting alerts. For anything else, we really recommend using eve.log - which will have alerts with more data, as well as other events, including stats or flow, actions applied to flow - pass/bypass - that could also explain, in certain cases, alert discrepancies.

I know this doesn’t necessarily answer your objective question, but I think it gives a background to understand your observations.