Several app_proto in flows appears as failed

Help
1

Hi all,

I am using Suricata 5.0.3 under a RHEL 8.2 hosts. I have noticed that many events in flows, which are https or netbios requets, appear as app_proto failed, such as:

{ [-]
app_proto: failed
community_id: 1:SijpdtGL2d0IAtIAIAFs8Gdq8YA=
dest_ip: 77.66.84.233
dest_port: 443
event_type: flow
flow: { [-]
age: 0
alerted: false
bytes_toclient: 649
bytes_toserver: 618
end: 2020-09-24T15:01:01.238327+0000
pkts_toclient: 1
pkts_toserver: 1
reason: timeout
start: 2020-09-24T15:01:01.194012+0000
state: established
}
flow_id: 1010084850038236
in_iface: idsif1
proto: UDP
src_ip: 172.22.55.1
src_port: 48213
timestamp: 2020-09-24T15:06:03.000351+0000
}

Is this due to timeout in “reason”?

Regards

2

Which protocol would you have expected here? For UDP/443 we don’t have a parser normally.

The timeout in reason is that the flow timed out and therefore was evicted from the hash and was logged. From the looks of it about 5 minutes after the last packet was seen, which matches the default timeout setting for established (300s).

3

Thanks Victor. But there are a lot of events that appears as app_proto:failed and protocol is TCP and dest_port is 443, like for example:

{ [-]
app_proto: failed
community_id: 1:9BEs/uWTl/TNq8tp9PLK7zsmTks=
dest_ip: 176.56.237.171
dest_port: 443
event_type: flow
flow: { [-]
age: 0
alerted: false
bytes_toclient: 1100
bytes_toserver: 540
end: 2020-09-24T15:57:32.797529+0000
pkts_toclient: 5
pkts_toserver: 5
reason: timeout
start: 2020-09-24T15:57:32.696029+0000
state: closed
}
flow_id: 1262229717294813
in_iface: idsif1
metadata: { [-]
flowbits: [ [-]
FB180732_0
]
}
proto: TCP
src_ip: 172.22.55.1
src_port: 39548
tcp: { [-]
ack: true
fin: true
psh: true
state: closed
syn: true
tcp_flags: 1b
tcp_flags_tc: 1b
tcp_flags_ts: 1b
}
timestamp: 2020-09-24T15:58:34.000576+0000
}

4

More info. These are the current stats about streams tagged as app_proto failed.

Screenshot 2020-09-24 at 18.09.17
Screenshot 2020-09-24 at 18.09.171902×537 32.7 KB
Screenshot 2020-09-24 at 18.09.01
Screenshot 2020-09-24 at 18.09.011901×336 27.2 KB

5

app_proto: failed can also mean that the application layer protocol is not in the list displayed by suricata --list-app-layer-protos

6

Thanks Jeff. But according to my stats, all app_proto are related to well known ports like 443, 138, 139, etc.

7

It means protocol detection did not manage to detect the protocol. Can you share pcap examples?

8

Of course. For example this one.200928-mgQ3YJIJ0EZDVYKA053kxy3z.pcap (1.5 MB)

9

Suricata does not have a WHOIS parser, so it seems correct that it tells you it failed to identify the protocol.

10

Ok. I will try capture some https packets. Give some minutes.

11

@vjulien. I have the found the problem for TCP and 443 as destination port. All streams marked as app_proto failed are requests done by our internal dnscrypt-proxy server. Does it make sense?

12

I don’t know if it makes sense, but it is interesting for sure. Are you able to (privately) share a pcap for that?

13

Sure. Give me some minutes.

14

Hi @vjulien. I’ve already sent it to you. Many thanks for your help.

15

Please, any news about this?

16

Responded to your DM. In short, it looks like “just data” over port TCP/443, nothing recognizable as TLS except for the port number. So Suricata doesn’t recognize it and it also won’t simply guess based on the port.