Non-functional suricata at some cloud providers

tomas.kacha · June 13, 2023, 7:19am

I have several machines with different cloud providers. I have a distributed configuration using ansible. If I apply the same configuration to two different machines from different providers, on one suricata works perfectly and logs alerts according to the rules, on the other machine it logs almost nothing.
If I create an ALL to ALL rule, alerts are generated, as soon as I specify the rule, even if only the destination port, alerts are not generated, even though the traffic matches the rule.

I use simple TCP rules and a couple of application layer rules (TLS)

Has anyone encountered anything similar, thanks

ish · June 13, 2023, 4:26pm

Just some thoughts… Are you tuning HOME_NET to each environment? Are any of these OpenVZ or some pseudo virtual environment?

tomas.kacha · June 13, 2023, 5:32pm

Hello Jason,
HOME_NET is not changed, supernetwork (172.24.0.0) is used
According to the drivers used on both machines it is RHEV, very probably Proxmox.

tomas.kacha · June 13, 2023, 5:52pm

I just noticed that on the machine where suricata is working properly there are only three interfaces namely eth (public IP), one tun interface and one vti interface. On the machine where suricata is not working there is one eth interface and many tun and vti interfaces.

The rules don’t work just on the tun and vti interfaces.

tomas.kacha · June 13, 2023, 5:57pm

In nftables I have this settings:


table ip filter {
	chain IPS {
		type filter hook forward priority filter + 10; policy accept;
		iifname "ens3" oifname { "vti1", "tun1" } queue num 3-5 bypass,fanout
		iifname { "vti1", "tun1" } oifname "ens3" queue num 3-5 bypass,fanout
	}
}

Suricata is started as follows:

/usr/bin/suricata -D -q 3,4,5 -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid

Andreas_Herz · June 14, 2023, 8:00am

What version are you running?
Also please share the config so and suricata.log and stats.log.
There could be many reasons why something is not working.
Is the traffic forwarded in all scenarios and it’s just the issue that some rules do not trigger?

tomas.kacha · June 14, 2023, 11:35am

Versions tested: 6.0.1, 6.0.10
These are packages provided by Debian

Yes, in all scenarios the traffic is forwarded and the rules don’t catch this traffic, but if there are only three interfaces (as I described above) the alerts are triggered perfectly

Here is the suricata.yaml
Included file 00-rules.yaml contains only rules files name and rules files path.

%YAML 1.1
---
vars:
  address-groups:
    HOME_NET: '[172.24.0.0/16]'
    EXTERNAL_NET: '!$HOME_NET'
    HTTP_SERVERS: $HOME_NET
    SMTP_SERVERS: $HOME_NET
    SQL_SERVERS: $HOME_NET
    DNS_SERVERS: $HOME_NET
    TELNET_SERVERS: $HOME_NET
    AIM_SERVERS: $EXTERNAL_NET
    DC_SERVERS: $HOME_NET
    DNP3_SERVER: $HOME_NET
    DNP3_CLIENT: $HOME_NET
    MODBUS_CLIENT: $HOME_NET
    MODBUS_SERVER: $HOME_NET
    ENIP_CLIENT: $HOME_NET
    ENIP_SERVER: $HOME_NET
  port-groups:
    HTTP_PORTS: '80'
    SHELLCODE_PORTS: '!80'
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: '[$HTTP_PORTS,110,143]'
    FTP_PORTS: 21
    GENEVE_PORTS: 6081
    VXLAN_PORTS: 4789
    TEREDO_PORTS: 3544
default-log-dir: /var/log/suricata/
stats:
  enabled: no
  interval: 600
outputs:
- fast:
    enabled: yes
    filename: fast.log
    append: yes
    filetype: regular
- eve-log:
    enabled: yes
    filetype: regular
    filename: eve.json
    json:
      compact: yes
    identity: suricata
    facility: local7
    level: Alert
    pcap-file: no
    community-id: no
    community-id-seed: 0
    xff:
      enabled: no
      mode: extra-data
      deployment: reverse
      header: X-Forwarded-For
    types:
    - alert:
        tagged-packets: yes
        metadata:
          app-layer: yes
          flow: yes
          rule:
            metadata: yes
    - anomaly:
        enabled: no
        types: null
    - dns:
        enabled: no
    - dhcp:
        enabled: no
        extended: no
    - ssh:
- http-log:
    enabled: no
    filename: http.log
    append: yes
- tls-log:
    enabled: no
    filename: tls.log
    append: yes
- tls-store:
    enabled: no
- pcap-log:
    enabled: no
    filename: log.pcap
    limit: 1000mb
    max-files: 2000
    compression: none
    mode: normal
    use-stream-depth: no
    honor-pass-rules: no
- alert-debug:
    enabled: yes
    filename: alert-debug.log
    append: yes
- alert-prelude:
    enabled: no
    profile: suricata
    log-packet-content: no
    log-packet-header: yes
- stats:
    enabled: no
    filename: stats.log
    append: yes
    totals: yes
    threads: no
- syslog:
    enabled: no
    identity: suricata
    facility: local7
    level: Info
- file-store:
    version: 2
    enabled: no
    xff:
      enabled: no
      mode: extra-data
      deployment: reverse
      header: X-Forwarded-For
- tcp-data:
    enabled: no
    type: file
    filename: tcp-data.log
- http-body-data:
    enabled: no
    type: file
    filename: http-data.log
- lua:
    enabled: no
    scripts: null
logging:
  default-log-level: notice
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: '[%i] <%d> -- '
af-packet:
- interface: eth1
  cluster-id: 99
  cluster-type: cluster_flow
  defrag: yes
  disable-promisc: yes
- interface: default
  use-mmap: yes
pcap:
- interface: default
pcap-file:
  checksum-checks: auto
app-layer:
  protocols:
    rfb:
      enabled: no
      detection-ports:
        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
    mqtt: null
    krb5:
      enabled: no
    snmp:
      enabled: no
    ikev2:
      enabled: no
    tls:
      enabled: yes
      detection-ports:
        dp: 443
    dcerpc:
      enabled: no
    ftp:
      enabled: no
    rdp:
      enabled: no
    ssh:
      enabled: yes
    http2:
      enabled: no
    smtp:
      enabled: no
      raw-extraction: no
      mime:
        decode-mime: yes
        decode-base64: yes
        decode-quoted-printable: yes
        header-value-depth: 2000
        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: no
    smb:
      enabled: no
      detection-ports:
        dp: 139, 445
    nfs:
      enabled: no
    tftp:
      enabled: no
    dns:
      tcp:
        enabled: no
        detection-ports:
          dp: 53
      udp:
        enabled: no
        detection-ports:
          dp: 53
    http:
      enabled: yes
      
    modbus:
      enabled: no
      detection-ports:
        dp: 502
      stream-depth: 0
    dnp3:
      enabled: no
      detection-ports:
        dp: 20000
    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818
    ntp:
      enabled: no
    dhcp:
      enabled: no
asn1-max-frames: 256
coredump:
  max-dump: unlimited
host-mode: auto
unix-command:
  enabled: yes
  filename: /var/run/suricata-command.socket
legacy:
  uricontent: enabled
engine-analysis:
  rules-fast-pattern: yes
  rules: yes
pcre:
  match-limit: 3500
  match-limit-recursion: 1500
defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535
  max-frags: 65535
  prealloc: yes
  timeout: 60
flow:
  memcap: 128mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
vlan:
  use-for-tracking: yes
flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 120
    bypassed: 120
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 20
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 3600
    closed: 120
    bypassed: 100
    emergency-new: 10
    emergency-established: 300
    emergency-closed: 20
    emergency-bypassed: 100
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
stream:
  memcap: 64mb
  checksum-validation: yes
  inline: auto
  reassembly:
    memcap: 256mb
    depth: 1mb
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32mb
decoder:
  teredo:
    enabled: no
    ports: $TEREDO_PORTS
  vxlan:
    enabled: no
    ports: $VXLAN_PORTS
  geneve:
    enabled: yes
    ports: $GENEVE_PORTS
detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  prefilter:
    default: mpm
  profiling:
    grouping:
      dump-to-disk: no
      include-rules: no
      include-mpm-stats: no
mpm-algo: auto
spm-algo: auto
threading:
  set-cpu-affinity: no
  cpu-affinity:
  - management-cpu-set:
      cpu:
      - 0
  - receive-cpu-set:
      cpu:
      - 0
  - worker-cpu-set:
      cpu:
      - all
      mode: exclusive
      prio:
        low:
        - 0
        medium:
        - 1-2
        high:
        - 3
        default: medium
  detect-thread-ratio: 1.0
luajit:
  states: 128
profiling:
  rules:
    enabled: yes
    filename: rule_perf.log
    append: yes
    limit: 10
    json: yes
  keywords:
    enabled: yes
    filename: keyword_perf.log
    append: yes
  prefilter:
    enabled: yes
    filename: prefilter_perf.log
    append: yes
  rulegroups:
    enabled: yes
    filename: rule_group_perf.log
    append: yes
  packets:
    enabled: yes
    filename: packet_stats.log
    append: yes
    csv:
      enabled: no
      filename: packet_stats.csv
  locks:
    enabled: no
    filename: lock_stats.log
    append: yes
  pcap-log:
    enabled: no
    filename: pcaplog_stats.log
    append: yes
nflog:
- group: 2
  buffer-size: 18432
- group: default
  qthreshold: 1
  qtimeout: 100
  max-size: 20000

detect-engine:
- rule-reload: yes
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
include: 00-rules.yaml

suricata.log

13/6/2023 -- 18:14:51 - <Notice> - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode
13/6/2023 -- 18:14:51 - <Info> - CPUs/cores online: 2
13/6/2023 -- 18:14:51 - <Config> - luajit states preallocated: 128
13/6/2023 -- 18:14:51 - <Config> - app-layer.error-policy: ignore
13/6/2023 -- 18:14:51 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31536 and 'request-body-inspect-window' set to 4098 after randomization.
13/6/2023 -- 18:14:51 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31665 and 'response-body-inspect-window' set to 4109 after randomization.
13/6/2023 -- 18:14:51 - <Info> - Protocol detection and parser disabled for dcerpc protocol.
13/6/2023 -- 18:14:51 - <Info> - Protocol detection and parser disabled for dcerpc protocol.
13/6/2023 -- 18:14:51 - <Config> - Protocol detection and parser disabled for smb protocol.
13/6/2023 -- 18:14:51 - <Info> - Parsed disabled for ftp protocol. Protocol detectionstill on.
13/6/2023 -- 18:14:51 - <Info> - Protocol detection and parser disabled for smtp protocol.
13/6/2023 -- 18:14:51 - <Config> - Protocol detection and parser disabled for modbus protocol.
13/6/2023 -- 18:14:51 - <Config> - Protocol detection and parser disabled for enip protocol.
13/6/2023 -- 18:14:51 - <Config> - Protocol detection and parser disabled for DNP3.
13/6/2023 -- 18:14:51 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
13/6/2023 -- 18:14:51 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
13/6/2023 -- 18:14:51 - <Info> - Protocol detection and parser disabled for imap protocol.
13/6/2023 -- 18:14:51 - <Info> - NFQ running in standard ACCEPT/DROP mode
13/6/2023 -- 18:14:51 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
13/6/2023 -- 18:14:51 - <Config> - preallocated 1000 hosts of size 136
13/6/2023 -- 18:14:51 - <Config> - host memory usage: 398144 bytes, maximum: 33554432
13/6/2023 -- 18:14:51 - <Config> - Core dump size set to unlimited.
13/6/2023 -- 18:14:51 - <Config> - defrag.memcap-policy: ignore
13/6/2023 -- 18:14:51 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
13/6/2023 -- 18:14:51 - <Config> - preallocated 65535 defrag trackers of size 160
13/6/2023 -- 18:14:51 - <Config> - defrag memory usage: 14155616 bytes, maximum: 33554432
13/6/2023 -- 18:14:51 - <Config> - flow.memcap-policy: ignore
13/6/2023 -- 18:14:51 - <Config> - flow size 320, memcap allows for 419430 flows. Per hash row in perfect conditions 6
13/6/2023 -- 18:14:51 - <Config> - stream "prealloc-sessions": 2048 (per thread)
13/6/2023 -- 18:14:51 - <Config> - stream "memcap": 67108864
13/6/2023 -- 18:14:51 - <Config> - stream "midstream" session pickups: disabled
13/6/2023 -- 18:14:51 - <Config> - stream "async-oneside": disabled
13/6/2023 -- 18:14:51 - <Config> - stream "checksum-validation": enabled
13/6/2023 -- 18:14:51 - <Config> - stream.memcap-policy: ignore
13/6/2023 -- 18:14:51 - <Config> - stream.reassembly.memcap-policy: ignore
13/6/2023 -- 18:14:51 - <Config> - memcap-policy: 0/0
13/6/2023 -- 18:14:51 - <Config> - stream.midstream-policy: ignore
13/6/2023 -- 18:14:51 - <Config> - stream."inline": enabled
13/6/2023 -- 18:14:51 - <Config> - stream "bypass": disabled
13/6/2023 -- 18:14:51 - <Config> - stream "max-synack-queued": 5
13/6/2023 -- 18:14:51 - <Config> - stream.reassembly "memcap": 268435456
13/6/2023 -- 18:14:51 - <Config> - stream.reassembly "depth": 1048576
13/6/2023 -- 18:14:51 - <Config> - stream.reassembly "toserver-chunk-size": 2493
13/6/2023 -- 18:14:51 - <Config> - stream.reassembly "toclient-chunk-size": 2632
13/6/2023 -- 18:14:51 - <Config> - stream.reassembly.raw: enabled
13/6/2023 -- 18:14:51 - <Config> - stream.reassembly "segment-prealloc": 2048
13/6/2023 -- 18:14:51 - <Info> - fast output device (regular) initialized: fast.log
13/6/2023 -- 18:14:51 - <Info> - eve-log output device (regular) initialized: eve.json
13/6/2023 -- 18:14:51 - <Config> - enabling 'eve-log' module 'alert'
13/6/2023 -- 18:14:51 - <Config> - enabling 'eve-log' module 'anomaly'
13/6/2023 -- 18:14:51 - <Config> - enabling 'eve-log' module 'dns'
13/6/2023 -- 18:14:51 - <Config> - enabling 'eve-log' module 'dhcp'
13/6/2023 -- 18:14:51 - <Config> - enabling 'eve-log' module 'ssh'
13/6/2023 -- 18:14:51 - <Info> - alert-debug output device (regular) initialized: alert-debug.log
13/6/2023 -- 18:14:51 - <Info> - stats output device (regular) initialized: stats.log
13/6/2023 -- 18:14:51 - <Config> - Delayed detect disabled
13/6/2023 -- 18:14:51 - <Config> - pattern matchers: MPM: hs, SPM: hs
13/6/2023 -- 18:14:51 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
13/6/2023 -- 18:14:51 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
13/6/2023 -- 18:14:51 - <Config> - prefilter engines: MPM
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_uri
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_uri
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_uri
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_uri
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_request_line
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_client_body
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_response_line
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header_names
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header_names
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header_names
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_header_names
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_accept
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_accept
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_accept_enc
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_accept_enc
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_accept_lang
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_accept_lang
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_referer
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_referer
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_connection
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_connection
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_len
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_len
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_len
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_len
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_type
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_type
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_type
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_content_type
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http.server
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http.server
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http.location
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http.location
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_protocol
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_protocol
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_start
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_start
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_method
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_method
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_cookie
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_cookie
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_cookie
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_cookie
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file.magic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_user_agent
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_user_agent
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_host
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_host
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_host
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_raw_host
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_stat_msg
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_stat_code
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http_stat_code
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http2_header_name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http2_header_name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http2_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for http2_header
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for dns_query
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for dnp3_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for dnp3_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tls.sni
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tls.cert_issuer
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tls.cert_subject
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tls.cert_serial
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tls.cert_fingerprint
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tls.certs
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ja3.hash
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ja3.string
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ja3s.hash
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ja3s.string
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for dce_stub_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for dce_stub_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for dce_stub_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for dce_stub_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for smb_named_pipe
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for smb_share
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh.proto
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh.proto
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh_software
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh_software
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh.hassh
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh.hassh.server
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh.hassh.string
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ssh.hassh.server.string
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for file_data
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for krb5_cname
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for krb5_sname
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.method
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.uri
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.protocol
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.protocol
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.method
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.stat_msg
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.request_line
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for sip.response_line
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for rfb.name
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for snmp.community
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for snmp.community
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.connect.clientid
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.connect.username
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.connect.password
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.connect.willtopic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.connect.willmessage
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.publish.topic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.publish.message
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.subscribe.topic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for mqtt.unsubscribe.topic
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for icmpv4.hdr
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tcp.hdr
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for udp.hdr
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for icmpv6.hdr
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ipv4.hdr
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for ipv6.hdr
13/6/2023 -- 18:14:51 - <Config> - IP reputation disabled
13/6/2023 -- 18:14:51 - <Config> - Loading rule file: /etc/suricata/rules/gws/default.rules
13/6/2023 -- 18:14:51 - <Config> - Loading rule file: /etc/suricata/rules/gws/1-rule.rules
13/6/2023 -- 18:14:51 - <Info> - 2 rule files processed. 2 rules successfully loaded, 0 rules failed
13/6/2023 -- 18:14:51 - <Info> - Threshold config parsed: 0 rule(s) found
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tcp-packet
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for tcp-stream
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for udp-packet
13/6/2023 -- 18:14:51 - <Perf> - using shared mpm ctx' for other-ip
13/6/2023 -- 18:14:51 - <Info> - 2 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only
13/6/2023 -- 18:14:51 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
13/6/2023 -- 18:14:51 - <Perf> - TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
13/6/2023 -- 18:14:51 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
13/6/2023 -- 18:14:51 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
13/6/2023 -- 18:14:51 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
13/6/2023 -- 18:14:51 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
13/6/2023 -- 18:14:51 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
13/6/2023 -- 18:14:51 - <Perf> - Unique rule groups: 1
13/6/2023 -- 18:14:51 - <Perf> - Builtin MPM "toserver TCP packet": 0
13/6/2023 -- 18:14:51 - <Perf> - Builtin MPM "toclient TCP packet": 0
13/6/2023 -- 18:14:51 - <Perf> - Builtin MPM "toserver TCP stream": 0
13/6/2023 -- 18:14:51 - <Perf> - Builtin MPM "toclient TCP stream": 0
13/6/2023 -- 18:14:51 - <Perf> - Builtin MPM "toserver UDP packet": 0
13/6/2023 -- 18:14:51 - <Perf> - Builtin MPM "toclient UDP packet": 0
13/6/2023 -- 18:14:51 - <Perf> - Builtin MPM "other IP packet": 0
13/6/2023 -- 18:14:51 - <Perf> - AppLayer MPM "toserver tls.sni (tls)": 1
13/6/2023 -- 18:14:51 - <Config> - AutoFP mode using "Hash" flow load balancer
13/6/2023 -- 18:14:51 - <Info> - binding this thread 0 to queue '3'
13/6/2023 -- 18:14:51 - <Info> - setting queue length to 4096
13/6/2023 -- 18:14:51 - <Info> - setting nfnl bufsize to 6144000
13/6/2023 -- 18:14:51 - <Config> - using 1 flow manager threads
13/6/2023 -- 18:14:51 - <Config> - using 1 flow recycler threads
13/6/2023 -- 18:14:51 - <Info> - Using unix socket file '/var/run/suricata-command.socket'
13/6/2023 -- 18:14:51 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

stats.log

Date: 6/14/2023 -- 13:29:23 (uptime: 0d, 19h 14m 32s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                                  | Total                     | 234
decoder.bytes                                 | Total                     | 54147
decoder.ipv4                                  | Total                     | 234
decoder.tcp                                   | Total                     | 97
decoder.udp                                   | Total                     | 137
decoder.avg_pkt_size                          | Total                     | 231
decoder.max_pkt_size                          | Total                     | 1278
flow.tcp                                      | Total                     | 69
flow.udp                                      | Total                     | 97
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 2
flow.wrk.flows_evicted                        | Total                     | 17
tcp.sessions                                  | Total                     | 8
tcp.syn                                       | Total                     | 8
app_layer.flow.failed_udp                     | Total                     | 97
ips.accepted                                  | Total                     | 230
ips.blocked                                   | Total                     | 4
flow.mgr.full_hash_pass                       | Total                     | 289
flow.spare                                    | Total                     | 9949
flow.mgr.rows_maxlen                          | Total                     | 1
flow.mgr.flows_checked                        | Total                     | 186
flow.mgr.flows_notimeout                      | Total                     | 37
flow.mgr.flows_timeout                        | Total                     | 149
flow.mgr.flows_evicted                        | Total                     | 149
tcp.memuse                                    | Total                     | 1212416
tcp.reassembly_memuse                         | Total                     | 196608
flow.memuse                                   | Total                     | 7394304

tomas.kacha · June 21, 2023, 7:36am

Can someone help, please? I need to resolve this issue. I’m trying to find a solution, but no results.
I want to use Suricata and don’t want to look for another solution, e.g. Snort.

Thanks

Andreas_Herz · June 21, 2023, 8:32am

First of all you should update to 6.0.13 which includes important security fixes.

I would try to narrow it down to what is the difference between the deployments that work and those that don’t work as expected.

So ideally post an example of event logs with flow and alert events from the working one and the flow event from the one where the rule did not fire. Also post the rule that you would expect to trigger on that traffic.

ish · June 21, 2023, 2:42pm

A while back I was trying to test IPS in a libvirt VM and ran into issues when the NICs used virtio. I wonder if this could be something related. My ticket is here: Bug #5871: ips/af-packet: doesn't work between 2 virtio devices - Suricata - Open Information Security Foundation

tomas.kacha · June 22, 2023, 8:13am

Hello, thanks for your reply,
There are no differences, a deployment that works does exactly what I expect. A deployment that doesn’t work simply doesn’t work and nothing appears in the logs (not just alerts, but also flow), so there is nothing to compare.

alert:

{"timestamp":"2023-06-22T09:14:20.766628+0200","flow_id":132636992115694,"event_type":"alert","src_ip":"172.24.4.89","src_port":49801,"dest_ip":"hidden","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":56,"signature_id":100000002,"rev":1,"signature":"55df91ff-4562-4bf7-a1f7-f755207eec5c","category":"","severity":3},"tls":{"sni":"admin.-hidden-.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":805,"bytes_toclient":60,"start":"2023-06-22T09:14:20.496622+0200"}}

Thanks
Tomas

Andreas_Herz · June 22, 2023, 8:16am

Please post the according rule as well as the flow event type according to the alerts, make sure to enable it in the suricata.yaml on those deployments.
Without exact examples (you can hide sensitive info of course) it’s hard to tell why it did work on one deployment while it did not work on the other one.

You also say “no difference” but at the initial post you talked about “different cloud provides” and also a diff regarding the interfaces.

tomas.kacha · June 22, 2023, 9:06am

I’m sorry, I forgot about the rules:

deployment that works:

alert tls 172.24.4.0/22 any -> $EXTERNAL_NET 443 (msg:"55df91ff-4562-4bf7-a1f7-f755207eec5c"; tls.sni; content: "admin.-hidden-.com"; startswith;nocase; gid:56; sid:100000002; rev:1;)

deployment that don’t work:

alert tls 172.24.0.0/22 any -> $EXTERNAL_NET 443 (msg:"55df91ff-4562-4bf7-a1f7-f755207eec5c"; tls.sni; content: "admin.-hidden-.com"; startswith;nocase; gid:1; sid:100000002; rev:1;)

All necessary settings are enabled, as shown in the configuration above.

You also say “no difference” but at the initial post you talked about “different cloud provides” and also a diff regarding the interfaces.

Sorry, I meant the differences in configuration. Of course both machines run in different environments (clouds), but with the same software. The differences are in the number of interfaces and probably in the hardware used.

tomas.kacha · June 22, 2023, 9:13am

Thanks for the information. I have the chance to test this with one of the providers.

Andreas_Herz · June 22, 2023, 10:17am

As mentioned, please provide event types flow as well that should match the rule, so we can try to find out why it did not trigger.

tomas.kacha · June 22, 2023, 2:13pm

I hope this is what you need, or let me know what you need.

rule:

alert tls 172.24.4.0/22 any -> $EXTERNAL_NET 443 (msg:"f6337eee-50c9-42f9-aea3-48739acfab54"; tls.sni; content: "zabbix.hidden.com"; startswith;nocase; gid:56; sid:100000001; rev:1;)

{"timestamp":"2023-06-22T15:47:41.748076+0200","flow_id":1639572911806251,"event_type":"alert","src_ip":"172.24.4.113","src_port":39830,"dest_ip":"hidden","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":56,"signature_id":100000001,"rev":1,"signature":"f6337eee-50c9-42f9-aea3-48739acfab54","category":"","severity":3},"tls":{"sni":"zabbix.hidden.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":681,"bytes_toclient":60,"start":"2023-06-22T15:47:41.644907+0200"}}
{"timestamp":"2023-06-22T15:47:42.545588+0200","flow_id":286398368104788,"event_type":"alert","src_ip":"172.24.4.113","src_port":39844,"dest_ip":"hidden","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":56,"signature_id":100000001,"rev":1,"signature":"f6337eee-50c9-42f9-aea3-48739acfab54","category":"","severity":3},"tls":{"sni":"zabbix.hidden.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":860,"bytes_toclient":60,"start":"2023-06-22T15:47:42.442708+0200"}}
{"timestamp":"2023-06-22T15:47:42.549023+0200","flow_id":520798355769412,"event_type":"alert","src_ip":"172.24.4.113","src_port":39850,"dest_ip":"hidden","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":56,"signature_id":100000001,"rev":1,"signature":"f6337eee-50c9-42f9-aea3-48739acfab54","category":"","severity":3},"tls":{"sni":"zabbix.hidden.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":681,"bytes_toclient":60,"start":"2023-06-22T15:47:42.444484+0200"}}
{"timestamp":"2023-06-22T15:47:42.552787+0200","flow_id":398855644299768,"event_type":"alert","src_ip":"172.24.4.113","src_port":39848,"dest_ip":"hidden","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":56,"signature_id":100000001,"rev":1,"signature":"f6337eee-50c9-42f9-aea3-48739acfab54","category":"","severity":3},"tls":{"sni":"zabbix.hidden.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":860,"bytes_toclient":60,"start":"2023-06-22T15:47:42.442872+0200"}}
{"timestamp":"2023-06-22T15:47:42.989061+0200","flow_id":663438514619399,"event_type":"alert","src_ip":"172.24.4.113","src_port":39858,"dest_ip":"hidden","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":56,"signature_id":100000001,"rev":1,"signature":"f6337eee-50c9-42f9-aea3-48739acfab54","category":"","severity":3},"tls":{"sni":"zabbix.hidden.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":860,"bytes_toclient":60,"start":"2023-06-22T15:47:42.885767+0200"}}
{"timestamp":"2023-06-22T15:47:42.994241+0200","flow_id":158556519041013,"event_type":"alert","src_ip":"172.24.4.113","src_port":39866,"dest_ip":"hidden","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":56,"signature_id":100000001,"rev":1,"signature":"f6337eee-50c9-42f9-aea3-48739acfab54","category":"","severity":3},"tls":{"sni":"zabbix.hidden.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":860,"bytes_toclient":60,"start":"2023-06-22T15:47:42.886773+0200"}}
{"timestamp":"2023-06-22T15:50:28.568598+0200","flow_id":286398368104788,"event_type":"flow","src_ip":"172.24.4.113","src_port":39844,"dest_ip":"hidden","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":84,"pkts_toclient":194,"bytes_toserver":15427,"bytes_toclient":239076,"start":"2023-06-22T15:47:42.442708+0200","end":"2023-06-22T15:47:46.680410+0200","age":4,"state":"closed","reason":"unknown","alerted":true},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2023-06-22T15:50:50.579399+0200","flow_id":158556519041013,"event_type":"flow","src_ip":"172.24.4.113","src_port":39866,"dest_ip":"hidden","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":39,"pkts_toclient":85,"bytes_toserver":11795,"bytes_toclient":87579,"start":"2023-06-22T15:47:42.886773+0200","end":"2023-06-22T15:47:51.153898+0200","age":9,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2023-06-22T15:52:56.642057+0200","flow_id":1639572911806251,"event_type":"flow","src_ip":"172.24.4.113","src_port":39830,"dest_ip":"hidden","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":83,"pkts_toclient":164,"bytes_toserver":19550,"bytes_toclient":182471,"start":"2023-06-22T15:47:41.644907+0200","end":"2023-06-22T15:47:46.680473+0200","age":5,"state":"closed","reason":"unknown","alerted":true},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1a","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2023-06-22T15:53:08.695246+0200","flow_id":520798355769412,"event_type":"flow","src_ip":"172.24.4.113","src_port":39850,"dest_ip":"hidden","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":31,"pkts_toclient":43,"bytes_toserver":12636,"bytes_toclient":33941,"start":"2023-06-22T15:47:42.444484+0200","end":"2023-06-22T15:47:51.996420+0200","age":9,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2023-06-22T15:53:11.857710+0200","flow_id":663438514619399,"event_type":"flow","src_ip":"172.24.4.113","src_port":39858,"dest_ip":"hidden","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":46,"pkts_toclient":92,"bytes_toserver":12604,"bytes_toclient":95540,"start":"2023-06-22T15:47:42.885767+0200","end":"2023-06-22T15:47:51.108467+0200","age":9,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2023-06-22T15:53:40.751267+0200","flow_id":398855644299768,"event_type":"flow","src_ip":"172.24.4.113","src_port":39848,"dest_ip":"hidden","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":60,"pkts_toclient":107,"bytes_toserver":18262,"bytes_toclient":110967,"start":"2023-06-22T15:47:42.442872+0200","end":"2023-06-22T15:47:58.139290+0200","age":16,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}

Thanks
Tomas

Andreas_Herz · June 22, 2023, 3:55pm

Those are correct ones, there you can see also that alerted is set to true for the flows. But I’m more interested in the flow events on a machine where you don’t see the alerts.

tomas.kacha · June 23, 2023, 12:33pm

Unfortunately on the other machine there is no flow corresponding with the rule.
It looks like Suricata didn’t see the traffic at all

Andreas_Herz · June 23, 2023, 12:51pm

Can you post the stats.log and the parts of the eve.json output of that machine?

tomas.kacha · June 23, 2023, 4:02pm

stats.log

------------------------------------------------------------------------------------
Date: 6/23/2023 -- 17:52:34 (uptime: 0d, 03h 31m 01s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                                  | Total                     | 33234
decoder.bytes                                 | Total                     | 21131709
decoder.ipv4                                  | Total                     | 33234
decoder.tcp                                   | Total                     | 29450
decoder.udp                                   | Total                     | 3783
decoder.icmpv4                                | Total                     | 1
decoder.avg_pkt_size                          | Total                     | 635
decoder.max_pkt_size                          | Total                     | 1278
flow.tcp                                      | Total                     | 3549
flow.udp                                      | Total                     | 1756
flow.icmpv4                                   | Total                     | 1
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 44
flow.wrk.flows_evicted                        | Total                     | 1002
tcp.sessions                                  | Total                     | 345
tcp.syn                                       | Total                     | 350
tcp.rst                                       | Total                     | 49
detect.alert                                  | Total                     | 1
app_layer.flow.failed_udp                     | Total                     | 1756
ips.accepted                                  | Total                     | 32924
ips.blocked                                   | Total                     | 310
flow.mgr.full_hash_pass                       | Total                     | 53
flow.spare                                    | Total                     | 9889
flow.mgr.rows_maxlen                          | Total                     | 2
flow.mgr.flows_checked                        | Total                     | 5520
flow.mgr.flows_notimeout                      | Total                     | 1231
flow.mgr.flows_timeout                        | Total                     | 4289
flow.mgr.flows_evicted                        | Total                     | 4289
tcp.memuse                                    | Total                     | 1212416
tcp.reassembly_memuse                         | Total                     | 196608
flow.memuse                                   | Total                     | 7394304

since I turned on flow logging, eve.json contains only this

{"timestamp":"2023-06-23T17:49:06.188242+0200","flow_id":1109973059411870,"event_type":"flow","src_ip":" hidden_ip_address","src_port":49618,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":104,"bytes_toclient":0,"start":"2023-06-23T17:44:42.303006+0200","end":"2023-06-23T17:45:32.324213+0200","age":50,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:49:21.545981+0200","flow_id":133224490063226,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51453,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":52,"bytes_toclient":0,"start":"2023-06-23T17:46:47.513402+0200","end":"2023-06-23T17:46:47.513402+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:49:31.562196+0200","flow_id":138992636071416,"event_type":"flow","src_ip":"hidden_ip_address","src_port":64370,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":105,"bytes_toclient":0,"start":"2023-06-23T17:48:03.265720+0200","end":"2023-06-23T17:48:03.265720+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:50:26.320044+0200","flow_id":1015977717686838,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51275,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":142,"bytes_toclient":0,"start":"2023-06-23T17:49:10.942646+0200","end":"2023-06-23T17:49:10.942646+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:50:33.665055+0200","flow_id":1864272405523545,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51488,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":64,"bytes_toclient":0,"start":"2023-06-23T17:47:10.126041+0200","end":"2023-06-23T17:47:10.126041+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
{"timestamp":"2023-06-23T17:50:34.333100+0200","flow_id":1161564217307850,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51244,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":5,"pkts_toclient":0,"bytes_toserver":378,"bytes_toclient":0,"start":"2023-06-23T17:47:26.881354+0200","end":"2023-06-23T17:48:13.858094+0200","age":47,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:50:50.446882+0200","flow_id":1039359518222579,"event_type":"flow","src_ip":"hidden_ip_address","src_port":50309,"dest_ip":"hidden_ip_address","dest_port":993,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":138,"bytes_toclient":0,"start":"2023-06-23T17:48:48.239859+0200","end":"2023-06-23T17:48:48.239997+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:51:03.046736+0200","flow_id":474721636571954,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51478,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":52,"bytes_toclient":0,"start":"2023-06-23T17:47:15.056114+0200","end":"2023-06-23T17:47:15.056114+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:51:09.057618+0200","flow_id":1744992584970117,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51500,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":52,"bytes_toclient":0,"start":"2023-06-23T17:50:01.962437+0200","end":"2023-06-23T17:50:01.962437+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:51:15.066454+0200","flow_id":622666091000574,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51503,"dest_ip":"hidden_ip_address","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":414,"bytes_toclient":0,"start":"2023-06-23T17:50:02.127742+0200","end":"2023-06-23T17:50:02.127742+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:51:26.418638+0200","flow_id":629168660624618,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51489,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":52,"bytes_toclient":0,"start":"2023-06-23T17:47:17.931050+0200","end":"2023-06-23T17:47:17.931050+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:51:29.089789+0200","flow_id":349162560556260,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51479,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":104,"bytes_toclient":0,"start":"2023-06-23T17:46:44.593124+0200","end":"2023-06-23T17:46:44.593306+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:52:24.514889+0200","flow_id":1085199703023132,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51493,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":64,"bytes_toclient":0,"start":"2023-06-23T17:48:31.335388+0200","end":"2023-06-23T17:48:31.335388+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
{"timestamp":"2023-06-23T17:52:39.206068+0200","flow_id":108803325260437,"event_type":"flow","src_ip":"hidden_ip_address","src_port":59529,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":126,"bytes_toclient":0,"start":"2023-06-23T17:51:41.291477+0200","end":"2023-06-23T17:51:41.291596+0200","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2023-06-23T17:52:49.223150+0200","flow_id":1803541583018419,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51505,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":904,"bytes_toclient":0,"start":"2023-06-23T17:51:00.899507+0200","end":"2023-06-23T17:51:01.025106+0200","age":1,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:53:06.584453+0200","flow_id":1109973082364444,"event_type":"flow","src_ip":"hidden_ip_address","src_port":49618,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":106,"bytes_toclient":0,"start":"2023-06-23T17:50:32.317980+0200","end":"2023-06-23T17:50:32.317980+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:53:13.262534+0200","flow_id":973290047371440,"event_type":"flow","src_ip":"hidden_ip_address","src_port":50761,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":40,"bytes_toclient":0,"start":"2023-06-23T17:51:37.096432+0200","end":"2023-06-23T17:51:37.096432+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:53:19.272286+0200","flow_id":273158834686100,"event_type":"flow","src_ip":"hidden_ip_address","src_port":50695,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":52,"bytes_toclient":0,"start":"2023-06-23T17:50:39.592020+0200","end":"2023-06-23T17:50:39.592020+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:53:32.571530+0200","flow_id":153067258790291,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51507,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":189,"bytes_toclient":0,"start":"2023-06-23T17:51:50.475539+0200","end":"2023-06-23T17:51:50.475539+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:53:34.629939+0200","flow_id":1689355581190180,"event_type":"flow","src_ip":"hidden_ip_address","src_port":56522,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":2649,"bytes_toclient":0,"start":"2023-06-23T17:50:40.847908+0200","end":"2023-06-23T17:50:40.848044+0200","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2023-06-23T17:53:42.641631+0200","flow_id":849234216078983,"event_type":"flow","src_ip":"hidden_ip_address","src_port":57628,"dest_ip":"hidden_ip_address","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":15,"pkts_toclient":0,"bytes_toserver":1596,"bytes_toclient":0,"start":"2023-06-23T17:52:39.380551+0200","end":"2023-06-23T17:52:41.634976+0200","age":2,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:54:00.004843+0200","flow_id":1422839969086646,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51494,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":52,"bytes_toclient":0,"start":"2023-06-23T17:49:01.720054+0200","end":"2023-06-23T17:49:01.720054+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:54:01.339329+0200","flow_id":1845662323503814,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51504,"dest_ip":"hidden_ip_address","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":403,"bytes_toclient":0,"start":"2023-06-23T17:50:02.127686+0200","end":"2023-06-23T17:50:02.127686+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:54:20.038167+0200","flow_id":1856631668579202,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51472,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":40,"bytes_toclient":0,"start":"2023-06-23T17:49:41.957314+0200","end":"2023-06-23T17:49:41.957314+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:54:26.048838+0200","flow_id":1015977726926675,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51275,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":52,"bytes_toclient":0,"start":"2023-06-23T17:51:31.155475+0200","end":"2023-06-23T17:51:31.155475+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:54:34.061078+0200","flow_id":1161564232000771,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51244,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":195,"bytes_toclient":0,"start":"2023-06-23T17:51:10.500995+0200","end":"2023-06-23T17:51:10.501067+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:54:49.418891+0200","flow_id":1733142784946534,"event_type":"flow","src_ip":"hidden_ip_address","src_port":50765,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":102,"bytes_toclient":0,"start":"2023-06-23T17:53:46.962918+0200","end":"2023-06-23T17:53:46.962918+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:55:06.113619+0200","flow_id":1039359526228285,"event_type":"flow","src_ip":"hidden_ip_address","src_port":50309,"dest_ip":"hidden_ip_address","dest_port":993,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":86,"bytes_toclient":0,"start":"2023-06-23T17:50:50.446781+0200","end":"2023-06-23T17:50:50.446781+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:55:10.122141+0200","flow_id":338339266568590,"event_type":"flow","src_ip":"hidden_ip_address","src_port":57626,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":40,"bytes_toclient":0,"start":"2023-06-23T17:52:44.991630+0200","end":"2023-06-23T17:52:44.991630+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2023-06-23T17:55:10.625200+0200","flow_id":153067265505326,"event_type":"flow","src_ip":"hidden_ip_address","src_port":51507,"dest_ip":"hidden_ip_address","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":131,"bytes_toclient":0,"start":"2023-06-23T17:53:32.571438+0200","end":"2023-06-23T17:53:32.571438+0200","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}

Topic		Replies	Views
Ssh and http protocol rule not work Help suricata	4	281	August 7, 2024
Testing ping alert rule Rules suricata	5	4242	July 27, 2022
Rules for different network interfaces Help	7	1352	April 30, 2022
Rule using http does not matching get request Rules	2	1161	January 18, 2022
Not receiving any alerts on Suricata Rules rules , suricata	4	1045	August 31, 2023

Non-functional suricata at some cloud providers

Related topics