I’m using Suricata 6.0.12 with default configuration (other than the fact that I have added a second rule-file inside suricata.yaml.)
I have created a custom rule to generate an alert when traffic on port 6678 is detected :
alert ip any any → any 6678 (msg:“Traffic detected”; sid:1; rev:1;)
This doesn’t generate an alert when live traffic is sent on port 6678 while a tcpdump running on the same interface that Suricata is listening on does show traffic on this port.
When Suricata is run on a pcap that includes this traffic, the alert message does appear.
I have attached a sample pcap of the traffic. sample_traffic.pcap (208.2 KB)
Could the issue be caused by the IP fragmentation or the packet size once reassembled ?
Thanks for your help,
I ran a quick check of Suri 6.0.12 and Suricata 7.0.0rc2 (to be released 15 June).
Both generated alerts using your rule and the pcap.
What command line are you using with Suricata? I’m most interested in how it’s receiving packets.
It does generate alerts when used against the pcap :
suricata -v -r sample_traffic.pcap
However, in my case, when used against a network interface, no alert is generated :
suricata -v -i br-ca0
Running tcpdump on the same interface, at the same time does show incoming traffic though :
tcpdump -nni br-ca0 port 6678
I’ve somehow managed to get it working.
I needed to setup default-packet-size to at least 17199 for the alert to show up (if setup at 17198, no alert is raised).
Once reassembled, my IP packets have a length of 17160, I do not know where the 39 are coming from.
What kind of logs should be enabled/where should I look at in order to have information regarding packets which length is above the default-packet-size value ?
You would see this in the stats.log and can adjust the config, although very high packet size values can have a negative impact on performance.