Hello,
I just deployed Suricata version 6.0.1
on Debian. It runs as IPS using NFQUEUE. I have a few questions regarding the log of Suricata. I am not sure if it is the correct place to ask these questions.
Q1: In the log (eve.json), there are indications that a packet has been dropped but there is no signature_id
or any explanation as to how this package was dropped, below is one of the packet example. Is it expected behaviour when the event_type
is drop
?
{
"timestamp": "2022-02-02T03:07:28.522681+0100",
"flow_id": 738519213471990,
"event_type": "drop",
"src_ip": "MY_HOST_IP",
"src_port": 11111,
"dest_ip": "107.148.179.232",
"dest_port": 23,
"proto": "TCP",
"drop": {
"len": 40,
"tos": 0,
"ttl": 64,
"ipid": 0,
"tcpseq": 1804907497,
"tcpack": 0,
"tcpwin": 0,
"syn": false,
"ack": false,
"psh": false,
"rst": true,
"urg": false,
"fin": false,
"tcpres": 0,
"tcpurgp": 0
}
}
Q2: what is the "event_type": flow"
? I have seen these a lot in the log. It summarises the data exchanged between my host and the target system?
{
"timestamp": "2022-02-02T03:08:59.558183+0100",
"flow_id": 738519213471990,
"event_type": "flow",
"src_ip": "107.148.179.232",
"src_port": 23,
"dest_ip": "MY_HOST_IP",
"dest_port": 11111,
"proto": "TCP",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 1,
"bytes_toserver": 44,
"bytes_toclient": 40,
"start": "2022-02-02T03:07:28.522486+0100",
"end": "2022-02-02T03:07:28.522681+0100",
"age": 0,
"state": "new",
"reason": "unknown",
"alerted": false
},
"tcp": {
"tcp_flags": "00",
"tcp_flags_ts": "00",
"tcp_flags_tc": "00"
}
}
Q3: what happens when the queue is full? So the data is not processed and Suricata is not able to block them?
Thank you,
TS