Not recognizing protocols, only flow

Hi,

I have two servers running suricata and one of them have a weird behavior.
Suricata don’t recognize traffic different of flow, like HTTP and others. The rules, suricata version and CentOS version in the two servers are the same, but the second one cannot look up high protocols. The servers have the same suricata.yaml.
Do you have any know about this?

Details from the server that are not recognizing protocols:

[root@server1 ~]$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@server1 ~]$ suricata -V
This is Suricata version 6.0.3 RELEASE
[root@server1 ~]$ grep -ie http /logs/suricata/stats.log
[root@server1 ~]$

Details from the working server:

[root@server2 ~]$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@server2 ~]$ suricata -V
This is Suricata version 6.0.3 RELEASE
[root@server2 ~]$ grep -ie http /logs/suricata/stats.log
app_layer.flow.http | Total | 330108
app_layer.tx.http | Total | 1297738
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 74055
app_layer.flow.http | Total | 330110
app_layer.tx.http | Total | 1297740
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 59682
app_layer.flow.http | Total | 330111
app_layer.tx.http | Total | 1297747
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 73848
app_layer.flow.http | Total | 330111
app_layer.tx.http | Total | 1297747
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 69113
app_layer.flow.http | Total | 330114
app_layer.tx.http | Total | 1297751
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 72163
app_layer.flow.http | Total | 330114
app_layer.tx.http | Total | 1297751
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 66928
app_layer.flow.http | Total | 330115
app_layer.tx.http | Total | 1297754
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 71957
app_layer.flow.http | Total | 330116
app_layer.tx.http | Total | 1297757
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 71285
app_layer.flow.http | Total | 330116
app_layer.tx.http | Total | 1297758
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 65492
app_layer.flow.http | Total | 330117
app_layer.tx.http | Total | 1297762
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 65682
app_layer.flow.http | Total | 330118
app_layer.tx.http | Total | 1297765
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 60451
app_layer.flow.http | Total | 330120
app_layer.tx.http | Total | 1297768
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 64379
app_layer.flow.http | Total | 330122
app_layer.tx.http | Total | 1297771
app_layer.flow.http2 | Total | 1
app_layer.tx.http2 | Total | 2
http.memuse | Total | 60018

Hi – welcome to the community!

Could you provide more information – knowing the network topology would be helpful as well as how each Suricata instance is configured (inline or IPS, IDS, as a network security monitor (NSM))

E.g., list the network connections for each server running Suricata and the device(s) on the other end of each server network connection.

Hi Jeff, thanks for your reply.
Both servers are receiving the traffic from a switched mirrored port as the following diagram:

image1712×1229 144 KB

Can you

1. Post the suricata configuration file for each server
2. Indicate the Suricata version you’re working with

1. I lost my first server (that one was working), but both are using the following suricata.yaml:suricata-commented.yml (40.3 KB)

2. I am using This is Suricata version 6.0.3 RELEASE. Installed using yum

try to run tcpdump on both servers and look into the traffic if you can spot a diff, must be something within the setup.