I can only see the first alert of a rule

Adrian_Portas · December 14, 2020, 8:49am

Hello,

Im new to Suricata and im trying to log a basic icmp alert. My problem its that in fast.log/eve.log i can only see the first alert even if i send an icmp packet every second.

I could “fix” it adding flow: to_server in the rule but as the flow says only log icmp packets to server. Am i missing something? I tried with threshold too but i couldnt find a solution for my problem.

My rule is:
alert icmp any any -> any any (msg:“ICMP detected”; sid: 889;)

The rule that workerd:
alert icmp any any -> any any (msg:“ICMP detected”; flow: to_server; sid: 889;)

In suricata 3.X the alert withouth flow worked well but in suricata 4.X, 5.X and 6.X i have this problem.

Thanks in advance, Adrian

vjulien · December 14, 2020, 12:19pm

Hi Adrian, I suspect the first rule is considered to be “IP-only”, and so it is evaluated only once per flow direction. Depending on the type of ICMP you have Suricata tracks it as a flow (e.g. echo request/reply). Adding the flow:to_server condition probably takes it out of the “IP-only” category.

Adrian_Portas · December 15, 2020, 12:49pm

Hi Victor,

I didnt knew the “IP-only” behaviour. Thanks for the response!

Regards, Adrian.

Topic		Replies	Views
How to create ICMP alerts per packet Rules	1	797	December 1, 2023
Alert for every drop/alert Help	3	322	May 21, 2024
Testing ping alert rule Rules suricata	5	4241	July 27, 2022
Alert once per connection with Suricata rules Rules aws	9	1367	April 12, 2023
Alert logs not triggered Help	3	1271	November 26, 2020

I can only see the first alert of a rule

Related topics