How can I have DNP3 alerts in the eve-log to stop dumping of DNP3 fields which can be large

Loney_Crist · June 26, 2023, 3:41pm

Suricata version 6.0.10

We are seeing extremely large events generate by “signature_id”:2270004: “SURICATA DNP3 Unknown object”

The setting “outputs.2.eve-log.types.0.alert.dnp3 = no” option in the past would disable dumping of dnp3 fields in the alert.

Example:

{“timestamp”:“2023-06-26T15:27:30.203247+0000”,“flow_id”:1429548430319641,“in_iface”:“ens0”,“event_type”:“alert”,“src_ip”:“192.168.11.200”,“src_port”:20000,“dest_ip”:“192.168.125.181”,“dest_port”:50210,“proto”:“TCP”,“tx_id”:2,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:2270004,“rev”:2,“signature”:“SURICATA DNP3 Unknown object”,“category”:“Generic Protocol Command Decode”,“severity”:3},“dnp3”:{“request”:{“type”:“request”,“control”:{“dir”:true,“pri”:true,“fcb”:false,“fcv”:false,“function_code”:4},“src”:1024,“dst”:25,“application”:{“control”:{“fir”:true,“fin”:true,“con”:false,“uns”:false,“sequence”:14},“function_code”:1,“objects”:[{“group”:60,“variation”:4,“qualifier”:6,“prefix_code”:0,“range_code”:6,“start”:0,“stop”:0,“count”:0},{“group”:60,“variation”:3,“qualifier”:6,“prefix_code”:0,“range_code”:6,“start”:0,“stop”:0,“count”:0},{“group”:60,“variation”:2,“qualifier”:6,“prefix_code”:0,“range_code”:6,“start”:0,“stop”:0,“count”:0},{“group”:60,“variation”:1,“qualifier”:6,“prefix_code”:0,“range_code”:6,“start”:0,“stop”:0,“count”:0}],“complete”:true}},“response”:{“type”:“response”,“control”:{“dir”:false,“pri”:true,“fcb”:false,“fcv”:false,“function_code”:4},“src”:25,“dst”:1024,“application”:{“control”:{“fir”:true,“fin”:true,“con”:false,“uns”:false,“sequence”:14},“function_code”:129,“objects”:[{“group”:1,“variation”:1,“qualifier”:1,“prefix_code”:0,“range_code”:1,“start”:1172,“stop”:1219,“count”:48,“points”:[{“prefix”:0,“index”:1172,“state”:0},{“prefix”:0,“index”:1173,“state”:1},{“prefix”:0,“index”:1174,“state”:1},{“prefix”:0,“index”:1175,“state”:0},{“prefix”:0,“index”:1176,“state”:1},{“prefix”:0,“index”:1177,“state”:1},{“prefix”:0,“index”:1178,“state”:1},{“prefix”:0,“index”:1179,“state”:1},{“prefix”:0,“index”:1180,“state”:0},{“prefix”:0,“index”:1181,“state”:0},{“prefix”:0,“index”:1182,“state”:0},{“prefix”:0,“index”:1183,“state”:0},{“prefix”:0,“index”:1184,“state”:0},{“prefix”:0,“index”:1185,“state”:0},{“prefix”:0,“index”:1186,“state”:0},{“prefix”:0,“index”:1187,“state”:0},{“prefix”:0,“index”:1188,“state”:0},{“prefix”:0,“index”:1189,“state”:0},{“prefix”:0,“index”:1190,“state”:0},{“prefix”:0,“index”:1191,“state”:0},{“prefix”:0,“index”:1192,“state”:0},{“prefix”:0,“index”:1193,“state”:0},{“prefix”:0,“index”:1194,“state”:0},{“prefix”:0,“index”:1195,“state”:0},{“prefix”:0,“index”:1196,“state”:0},{“prefix”:0,“index”:1197,“state”:0},{“prefix”:0,“index”:1198,“state”:0},{“prefix”:0,“index”:1199,“state”:1},{“prefix”:0,“index”:1200,“state”:0},{“prefix”:0,“index”:1201,“state”:0},{“prefix”:0,“index”:1202,“state”:0},{“prefix”:0,“index”:1203,“state”:0},{“prefix”:0,“index”:1204,“state”:0},{“prefix”:0,“index”:1205,“state”:0},{“prefix”:0,“index”:1206,“state”:1},{“prefix”:0,“index”:1207,“state”:1},{“prefix”:0,“index”:1208,“state”:1},{“prefix”:0,“index”:1209,“state”:0},{“prefix”:0,“index”:1210,“state”:0},{“prefix”:0,“index”:1211,“state”:1},{“prefix”:0,“index”:1212,“state”:1},{“prefix”:0,“index”:1213,“state”:0},{“prefix”:0,“index”:1214,“state”:0},{“prefix”:0,“index”:1215,“state”:0},{“prefix”:0,“index”:1216,“state”:0},{“prefix”:0,“index”:1217,“state”:0},{“prefix”:0,“index”:1218,“state”:0},{“prefix”:0,“index”:1219,“state”:0}]},{“group”:1,“variation”:1,“qualifier”:147,“prefix_code”:1,“range_code”:3,“start”:4,“stop”:147,“count”:144,“points”:[{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:1},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0},{“prefix”:4,“index”:4,“state”:0}]},{“group”:1,“variation”:1,“qualifier”:1,“prefix_code”:0,“range_code”:1,“start”:257,“stop”:113,“count”:4294967153,“points”:[{“prefix”:0,“index”:257,“state”:0},{“prefix”:0,“index”:258,“state”:0},{“prefix”:0,“index”:259,“state”:1},{“prefix”:0,“index”:260,“state”:1},{“prefix”:0,“index”:261,“state”:1},{“prefix”:0,“index”:262,“state”:1},{“prefix”:0,“index”:263,“state”:1},{“prefix”:0,“index”:264,“state”:0},{“prefix”:0,“index”:265,“state”:0},{“prefix”:0,“index”:266,“state”:0},{“prefix”:0,“index”:267,“state”:0},{“prefix”:0,“index”:268,“state”:0},{“prefix”:0,“index”:269,“state”:0},{“prefix”:0,“index”:270,“state”:0},{“prefix”:0,“index”:271,“state”:0},{“prefix”:0,“index”:272,“state”:0},{“prefix”:0,“index”:273,“state”:0},{“prefix”:0,“index”:274,“state”:0},{“prefix”:0,“index”:275,“state”:0},{“prefix”:0,“index”:276,“state”:0},{“prefix”:0,“index”:277,“state”:0},{“prefix”:0,“index”:278,“state”:0},{“prefix”:0,“index”:279,“state”:0},{“prefix”:0,“index”:280,“state”:0},{“prefix”:0,“index”:281,“state”:0},{“prefix”:0,“index”:282,“state”:1},{“prefix”:0,“index”:283,“state”:1},{“prefix”:0,“index”:284,“state”:0},{“prefix”:0,“index”:285,“state”:0},{“prefix”:0,“index”:286,“state”:0},{“prefix”:0,“index”:287,“state”:0},{“prefix”:0,“index”:288,“state”:0},{“prefix”:0,“index”:289,“state”:1},{“prefix”:0,“index”:290,“state”:0},{“prefix”:0,“index”:291,“state”:0},{“prefix”:0,“index”:292,“state”:0},{“prefix”:0,“index”:293,“state”:0},{“prefix”:0,“index”:294,“state”:0},{“prefix”:0,“index”:295,“state”:0},{“prefix”:0,“index”:296,“state”:0},{“prefix”:0,“index”:297,“state”:1},{“prefix”:0,“index”:298,“state”:0},{“prefix”:0,“index”:299,“state”:0},{“prefix”:0,“index”:300,“state”:0},{“prefix”:0,“index”:301,“state”:0},{“prefix”:0,“index”:302,“state”:0},{“prefix”:0,“index”:303,“state”:0},{“prefix”:0,“index”:304,“state”:0},{“prefix”:0,“index”:305,“state”:1},{“prefix”:0,“index”:306,“state”:0},{“prefix”:0,“index”:307,“state”:0},{“prefix”:0,“index”:308,“state”:0},{“prefix”:0,“index”:309,“state”:0},{“prefix”:0,“index”:310,“state”:0},{“prefix”:0,“index”:311,“state”:0},{“prefix”:0,“index”:312,“state”:0},{“prefix”:0,“index”:313,“state”:0},{“prefix”:0,“index”:314,“state”:0},{“prefix”:0,“index”:315,“state”:0},{“prefix”:0,“index”:316,“state”:0},{“prefix”:0,“index”:317,“state”:1},{“prefix”:0,“index”:318,“state”:1},{“prefix”:0,“index”:319,“state”:1},{“prefix”:0,“index”:320,“state”:0},{“prefix”:0,“index”:321,“state”:0},{“prefix”:0,“index”:322,“state”:0},{“prefix”:0,“index”:323,“state”:0},{“prefix”:0,“index”:324,“state”:0},{“prefix”:0,“index”:325,“state”:0},{“prefix”:0,“index”:326,“state”:0},{“prefix”:0,“index”:327,“state”:0},{“prefix”:0,“index”:328,“state”:0},{“prefix”:0,“index”:329,“state”:0},{“prefix”:0,“index”:330,“state”:0},{“prefix”:0,“index”:331,“state”:0},{“prefix”:0,“index”:332,“state”:0},{“prefix”:0,“index”:333,“state”:1},{“prefix”:0,“index”:334,“state”:1},{“prefix”:0,“index”:335,“state”:1},{“prefix”:0,“index”:336,“state”:0},{“prefix”:0,“index”:337,“state”:0},{“prefix”:0,“index”:338,“state”:0},{“prefix”:0,“index”:339,“state”:0},{“prefix”:0,“index”:340,“state”:0},{“prefix”:0,“index”:341,“state”:0},{“prefix”:0,“index”:342,“state”:0},{“prefix”:0,“index”:343,“state”:0},{“prefix”:0,“index”:344,“state”:0},{“prefix”:0,“index”:345,“state”:1},{“prefix”:0,“index”:346,“state”:0},{“prefix”:0,“index”:347,“state”:0},{“prefix”:0,“index”:348,“state”:0},{“prefix”:0,“index”:349,“state”:0},{“prefix”:0,“index”:350,“state”:0},{“prefix”:0,“index”:351,“state”:0},{“prefix”:0,“index”:352,“state”:0},{“prefix”:0,“index”:353,“state”:1},{“prefix”:0,“index”:354,“state”:0},
…

The relative section:
outputs.2.eve-log.types = (null)
outputs.2.eve-log.types.0 = alert
outputs.2.eve-log.types.0.alert = (null)
outputs.2.eve-log.types.0.alert.dnp3 = no
outputs.2.eve-log.types.0.alert.tagged-packets = yes
outputs.2.eve-log.types.0.alert.http-body = no
outputs.2.eve-log.types.0.alert.http-body-printable = no
outputs.2.eve-log.types.0.alert.app-layer = yes

  - eve-log:
      enabled: yes
      filetype: unix_stream
      filename: /var/log/suricata/log_stream
      ethernet: yes
      community-id: false
      community-id-seed: 0
      ethernet: yes
      metadata: yes
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
      types:
        - alert:
            **dnp3: no**
            tagged-packets: yes
            http-body: no
            http-body-printable: no
            app-layer: yes

ish · June 26, 2023, 4:12pm

Do you know if this is really DNP3 or something falsely detecting DNP3. If you don’t expect DNP3 on your network you can disable the parser, which it is in a default configuration. Look under the app-layer section for DNP3.

Loney_Crist · June 26, 2023, 4:15pm

Yes, the traffic comes from a control network. There are many DNP3 devices. Several other alerts fire as well but this one includes all of the set points because of the unknown nature of the check.

ish · June 26, 2023, 4:22pm

Ok, I don’t think that option to disable dnp3 under alerts has existed since Suricata 4.x days. Currently the only real toggle for this would be the app-layer switch which enables/disable all app-layer logging in the alert, and its unfortunately not granular enough to enable/disable specific protocol logging.

Loney_Crist · June 27, 2023, 2:31pm

That makes sense given it worked before.
We disabled the app-layer for this even-log stream as it is not used at it solve the issue.
It is on for other streams so we have the data in local storage.

Thanks