Question about network packets and flows

noob_17 · August 4, 2023, 11:31am

Hi,

I have been banging my head with this question for quite some time. Let me break it down for you.

I created a test rule that alerts on a SYN packet flood. This is the rule:

alert tcp $HOME_NET any -> $HOME_NET any (msg:"LOCAL DOS SYN packet flood outbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:denial-of-service; sid:6;)

I generated a flood from a different machine like this. There are 148119 packets transmitted :

HPING x.x.x.x (ens33 x.x.x.x): S set, 40 headers + 120 data bytes
hping in flood mode, no replies will be shown
^C
--- x.x.x.x hping statistic ---
148119 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

I instantly get the alert on Suricata:


08/04/2023-11:56:58.894720  [**] [1:7:0] LOCAL DOS SYN packet flood inside LAN, Potential DOS [**] [Classification: Detection of a Denial of Service Attack] [Priority: 1] {TCP} x.x.x.x:17289 -> x.x.x.x:21

The flow log is the following:

{"timestamp":"2023-08-04T11:57:44.159434+0100","flow_id":1290984918525696,"in_iface":"x","event_type":"flow","vlan":[x],"src_ip":"x.x.x.x","src_port":17289,"dest_ip":"x.x.x.x","dest_port":21,"proto":"TCP","flow":{**"pkts_toserver":2**,"pkts_toclient":0,"bytes_toserver":348,"bytes_toclient":0,"start":"2023-08-04T11:56:58.894720+0100","end":"2023-08-04T11:56:59.981622+0100","age":1,"state":"new","reason":"timeout","alerted":true},"community_id":"1:3QSuuSiUd8ypsCUfTHhL9HVkqQ0=","tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}

Here is where my question lies. If there were 148119 transmitted packets why “pkts_toserver” and “network_packets” value is 2?

Also on the alert log “pkts_toserver” value is 1:

{"timestamp":"2023-08-04T11:56:58.894720+0100","flow_id":1290984918525696,"in_iface":"x","event_type":"alert","vlan:[x],"src_ip":"x.x.x.x","src_port":17289,"dest_ip":"x.x.x.x","dest_port":21,"proto":"TCP","community_id":"1:3QSuuSiUd8ypsCUfTHhL9HVkqQ0=","alert":{"action":"allowed","gid":1,"signature_id":7,"rev":0,"signature":"LOCAL DOS SYN packet flood inside LAN, Potential DOS","category":"Detection of a Denial of Service Attack","severity":1},"flow":{**"pkts_toserver":1**,"pkts_toclient":0,"bytes_toserver":174,"bytes_toclient":0,"start":"2023-08-04T11:56:58.894720+0100"},"payload":"WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY","payload_printable":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","stream":0,"packet":"ABx/ZhmuVHXQf6RACABFAACgl1gAAD8GzXgKFQFkCgsBBEOJABVLSv2keBC9v1ACAEAhkQAAWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY","packet_info":{"linktype":1}}

I need to understand whenever this rule is triggered how many packets were generated from that particular flow. In this case i know that were more than 5000 (because the rule only triggers if the value is above 5000) but i cannot understand how many were in concrete.

Thanks in advance for any input that you might give me!

jufajardini · October 5, 2023, 3:53pm

Hi there, I don’t have a final answer, just got curious with something:

have you edited the rule you’ve shared, or do you have another rule? Asking cause the signature_id showing is 7, while your rule sid is 6

noob_17 · October 11, 2023, 8:38am

Hello,

Yes, i edited the rule. I only changed the sid because of some inconsistencies. This is my rule now, is the same rule but i only changed the sid:

alert tcp $HOME_NET any -> $HOME_NET any (msg:"LOCAL DOS SYN packet flood inside LAN, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:denial-of-service; sid:60000000;)

I made another test flood and the “problem” is the same. I have way more than 5000 hits to that specific destination IP, so the rule is correctly triggered. Here is the flow logging:

This is the rule that is triggered. Note that “pkts_toserver: 1”. My question as always been why is this value “1” instead of the total count of packets that have hit the destination IP?

{"timestamp":"2023-10-11T09:41:43.947438+0100","flow_id":2098891628604793,"in_iface":"enp3s0f1","event_type":"alert","vlan":[112],"src_ip":"x.x.x.x","src_port":34793,"dest_ip":"x.x.x.x","dest_port":21,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:eKErn8acZWlNB8OeimGH/JnTErs=","alert":{"action":"allowed","gid":1,"signature_id":60000000,"rev":0,"signature":"LOCAL DOS SYN packet flood inside LAN, Potential DOS","category":"Detection of a Denial of Service Attack","severity":1},"direction":"to_server","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":70,"bytes_toclient":0,"start":"2023-10-11T09:41:43.947438+0100","src_ip":"x.x.x.x","dest_ip":"x.x.x.x","src_port":34793,"dest_port":21},"payload_printable":"","stream":0,"packet":"xxxxxxxx","packet_info":{"linktype":1}}

Thanks a lot for your help! @jufajardini

Topic		Replies	Views
Understanding packets and log records Rules suricata	0	415	January 3, 2023
Understanding Stats.log against Syn Flood Attacks Help	7	1156	January 30, 2021
Suricata dos rule help Help rules , suricata	4	659	August 3, 2023
Suricata cannot detect attack traffic going to the server Help suricata	12	137	December 2, 2024
Suricata 6.0.0 IPS-mode inline	4	855	June 12, 2021

Question about network packets and flows

Related topics