Http traffic is not detected after updating to Suricata 7

• Suricata 7.0.0/7.0.1/7.0.2
• FreeBSD 13.2
• Installed with pkg

Hello. After updating Suricata from version 6 to 7, it stopped detecting HTTP traffic, despite an almost identical configuration file. tcp or icmp traffic is detected well, but http.log is empty.
I used only two rules for checking:

alert icmp any any-> any any (msg:"ICMP traffic detected"; sid:5000000;)
alert http any any -> any any (msg:"HTTP traffic detected"; sid:5000001;)

Maybe this is a problem specific to FreeBSD? Has anyone encountered the same behavior?

[138243 - Suricata-Main] 2023-11-24 07:00:40 Config: detect: Loading rule file: /usr/local/etc/suricata/test.rules
[138243 - Suricata-Main] 2023-11-24 07:00:40 Info: detect: 1 rule files processed. 2 rules successfully loaded, 0 rules failed
[138243 - Suricata-Main] 2023-11-24 07:00:40 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[138243 - Suricata-Main] 2023-11-24 07:00:40 Info: detect: 2 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only

How does the suricata.yaml look like?

How is Suricata started?

Do you have a pcap as example?

Do you see event_type flow for those connections in the EVE JSON output?

Also provide stats.log as well (or event_type stats from EVE JSON).

suricata.yaml
suricata.yaml (11.0 KB)

/usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml

pcap
http.pcap (1.6 KB)

There are no entries in eve.log

stats.log
stats.log (14.8 KB)

There are no app layers detected, but at least tcp and upd. Do you have a stats.log with version 6 to compare with?

Could you add to the eve json log the flow as type so that we could see if the flow itself was seen at least?

stats from 6 version
statsV6.log (2.6 KB)

I added flow for logging. When an HTTP request is made, no entries are added to the log.
But there are entries for other traffic. For example
{“timestamp”:“2023-11-24T10:39:42.485502+0000”,“flow_id”:1541763414687531,“in_iface”:“em0”,“event_type”:“flow”,“src_ip”:“192.168.17.15” ,“src_port”:5353,“dest_ip”:“224.0.0.251”,“dest_port”:5353,“proto”:“UDP”,“app_proto”:“failed”,“flow”:{“pkts_toserver”:1, “pkts_toclient”:0,“bytes_toserver”:82,“bytes_toclient”:0,“start”:“2023-11-24T10:39:01.293433+0000”,“end”:“2023-11-24T10:39:01.293433 +0000”,“age”:0,“state”:“new”,“reason”:“timeout”,“alerted”:false}}

in all cases “app_proto”:“failed”
Could this be the case?

UPD. reload stats.log

So when I run your pcap against a Suricata 7.0.2 I see the event:

{
  "timestamp": "2023-11-24T10:46:41.662732+0100",
  "flow_id": 282774231284667,
  "pcap_cnt": 9,
  "event_type": "http",
  "src_ip": "192.168.17.106",
  "src_port": 53820,
  "dest_ip": "192.168.17.108",
  "dest_port": 80,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 0,
  "http": {
    "hostname": "192.168.17.108",
    "url": "/wpad.dat",
    "http_user_agent": "curl/7.68.0",
    "http_content_type": "text/html",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "status": 404,
    "length": 196
  }
}

Could you do a pcap test run as well, use the -r option to do that. Just to make sure that it would be seen and it’s related to your netmap or packet forwarding.

Testing on a pcap file works fine.

eve.json (8.2 KB)

Is this a problem with netmap?

Well at least something about your setup seems to be the issue. It’s netmap IPS mode right?
If you don’t run Suricata on the em0 interface but rather tcpdump, do you see the http traffic you mentioned?
Just to make sure the actual forwarding is working.

I’m using netmap IPS, correct.
tcpdump successfully captures traffic, including http

I don’t know how easy it would be, but could you run a pure IDS mode on just one of the interfaces and see if it would show up the http flow there?

The best you can narrow it down, the easier it could be to fix it. We already know that the pcap mode is fine, so if we see it working in IDS mode this could help as well.

I changed the conf file and launch mode to work with pcap.

Is this what was meant?

/usr/local/bin/suricata -D --pcap -c /usr/local/etc/suricata/suricata.yaml

pcap:
   - interface: em0
     checksum-checks: auto
     promise: yes

HTTP traffic is successfully detected.

I’m sorry. I misunderstood.
We need to run netmap ids, right?

Yes, but testing it with pcap runmode was also a good test.

I tried using tap copy-mode, the behavior is similar to ips

Maybe, this should be a setup without using copy-mode? Sorry, in this case I have no idea how I should implement this on my test host.
I’m just losing access to the system…

I would add a dedicated interface for the management and use another interface for the capture. Start with IDS mode before going into IPS mode would also make it easier to test without loosing access.

Hi,

Try async-oneside: true. This fixed the problem for me.

I had to roll back to version 6 and only now I returned to the issue regarding version 7. Finally, I found what the problem was. It was affected by the livedev.use-for-tracking parameter, which must be set to false.