Please include the following information with your help request:
Suricata version
Operating system and/or Linux distribution
How you installed Suricata (from source, packages, something else)
Hi,
Suricata version - 7.0.7
Ubuntu 22.04 (Jammy)
Installed from packages.
I am running suricata as suricata -Dc /etc/suricata/suricata.yaml -q 0 with nfq support.
I have a very basic rule with alert http and alert tls and i am passing traffic with curl and a windows host machine and sending web traffic.
In eve.json i can see only dns and quic related events. But i’m not able to get the http and tls events in that file.
Configuration is pretty basic, instead i disabled stats.log and other logs.
I went through the discussions and i tried setting vlan.use-for-tracking to false and livedev.use-for-tracking field also to false.
But nothing worked out.
I tried enabling the http.log as well, the file is created but it was empty.
So please help me with this and how i need to troubleshoot or how can i generate alerts for that.
Without seeing logs or config, first things or questions that come to my mind are:
are you interested in the HTTP and TLS events, or the alerts with HTTP and TLS transactions?
for how long did you let Suri run? Were those the only two protocols you saw?
did you not see alerts for the rules you’ve created?
what do the rules look like?
These don’t offer any solution, I know, but could point to possible leads, depending on the answers to them. But I hope that by now you’ve found a way through
I recently had a similar issue on my SecurityOnion installation. It turned out my switch from which I tapped traffic had the vlan tag set for packets going into one of the two directions even though vlan was disabled in the configuration. You might want to check if this applies to you and if so, you can disable the usage of vlan for tracking in the Suricata config.
I found out the problem, i am sending only one way traffic to suricata for tcp/udp sessions.
Fixed that and it is working as expected now.
Thanks everyone who took time to look into this.
