New system ip address and port details are not showing in Suricata logs

We have implemented source and target EC2 instance in pipeline in AWS and installed Suricata in target instance to monitor the source

When I trying to ping source instance from new system, that new system ip address and port details are not showing in Suricata logs

@Jeff_Lucovsky - Request your help on that. Please let me know if any other details required from my end

We are using latest version of Suricata 7.0.8

Is the Suricata (target instance) seeing the ping (icmp) traffic?

If these are linux instances, running tcpdump -i <interface> on the target instance will show the traffic if the network topology is setup properly.

@Jeff_Lucovsky - if we ping from source instance to target instance, and then running tcpdump -i interface on the target, then it is showing the icmp pings from source to target instance

If we try to ping source instance from command prompt, it is not capturing that traffic. we have configured the traffic mirror session from source to target, the source logs alone is not getting captured

Thanks for the update.

What packet capture method are you using?

Can you post your suricata.yaml config file and the command line used to start the suricata executable?

@Jeff_Lucovsky - Please find our update below

af and pcap are the packet capture methods we are using

Command line used for Suricata is suricata -c /etc/suricata/suricata.yaml -i eth0

Hi @Jeff_Lucovsky - could you please provide an update on the issue? Thanks

Can you post suricata.yaml?

@Jeff_Lucovsky - yaml file includes 18k lines. we don’t have access to download and share the yaml file. But we followed below command to install Suricata as mentioned in below url. We didn’t make any update to yaml file after installation

Become sudo

sudo -s

Install epel-release

amazon-linux-extras install -y epel

Install suricata

yum install -y suricata

Create the default suricata rules directory

mkdir /var/lib/suricata/rules

Add a rule to match all UDP traffic

echo ‘alert udp any any → any any (msg:“UDP traffic detected”; sid:200001; rev:1;)’ > /var/lib/suricata/rules/suricata.rules

Start suricata listening on eth0 in daemon mode

suricata -c /etc/suricata/suricata.yaml -k none -i eth0 -D

Capture logs can be found in /var/log/suricata/fast.log

@Jeff_Lucovsky - please help on the solution whenever possible

Please clarify the logs that you are expecting the ICMP traffic to appear in.

Suricata creates log output – not all of which are for alerts.

If you’re expecting alerts and not seeing them, please share the rule(s) and a pcap.

If you’re expecting flow records for the ICMP traffic and not seeing them, please confirm that flow logging is enabled.