Help Needed ! Suricata drops - ,"metadata":{"flowints":{"http.anomaly.count":1}},

Here is the suricata - eve json log, the traffic is being dropped. Unable to locate the reason/rule behind the drop also curious to know what might have been the reason for the anomaly count to 1 {“timestamp”:“2023-10-05T16:12:17.780787+0000”,“flow_id”:603931927361140,“in_iface”:“bond_switch2”,“event_type”:“drop”,“vlan”:[140],“src_ip”:“”,“src_port”:46646,“dest_ip”:“”,“dest_port”:443,“proto”:“TCP”,“metadata”:{“flowints”:{“http.anomaly.count”:1}},“drop”:{“len”:48,“tos”:0,“ttl”:255,“ipid”:10970,“tcpseq”:2869134189,“tcpack”:0,“tcpwin”:4380,“syn”:true,“ack”:false,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0}}

Hi there Srutheen,

  • What Suricata version are you using?
  • If you search the log for other events associated with that same flow_id, do you see anything of value?

There may be some fields that could add some useful info, but without knowing which suricata version you’re using, I’m not sure if those would be there…

Version that we are running is on 5.0.7, Just filtered the flowid and all of them were dropped.

Ok, thanks.

I don’t think the options I have in mind are present in 5.0.7…
What does the flow event for that flow tell you?

Responded over the email

1 Like

Mandatory advice: please upgrade to a supported version of Suricata. The 5 branch has been EOL’d on August 1st, 2022. 5.0.7 is even outdated for the 5 branch, as it was released in June 2021. Many things have been fixed in 5 since, many more things have been fixed in 6 since, including various security issues.

1 Like