engdude
August 19, 2022, 11:44pm
1
I’m running suricata 6.0.6 in-line with NFQ on ubuntu - I’ve been running this setup for about 3 years. The Ubuntu device is my router and does NAT, FW, and of course IPS. It’s not terribly taxed - maxes at 50% usage and memory ( small office setup).
I get an occasional websites on the LAN side that ‘hangs’ while browsing and my solution has been to address it in iptables before entering the NFQUEUE rule. I had some time to look into further and what I see are a bunch of anomaly packets that may be the cause.https://travel.state.gov from the .199 host
{“timestamp”:“2022-08-19T19:24:46.398097-0400”,“flow_id”:1352058313279682,“event_type”:“anomaly”,“src_ip”:“18.220.218.98”,“src_port”:443,“dest_ip”:“172.16.2.199”,“dest_port”:57914,“proto”:“TCP”,“anomaly”:{“type”:“stream”,“event”:“stream.fin_but_no_session”}}
Edit to Post: My working theory now is that the anomaly detection is what’s causing these packets in getting ‘lost’
Anybody have any thoughts or similar experiences as to what I should try/how to mitigate?
Can you share your suricata config file and how you run it?anomaly feature for some time to check if it’s the cause.
engdude
August 30, 2022, 1:20pm
3
Yes, I have one line in my iptables after some housekeeping rules and blacklist blocks to send traffic to suricata
iptables -A FORWARD -m mark ! --mark 1/1 -j NFQUEUE
and using the attached config file - just minor tweaking from the defaultsuricata.yaml (72.2 KB)
Any thoughts are appreciated
And how do you start Suricata?
engdude
August 31, 2022, 1:30pm
5
Thank you, suricata is started at boot time, right after the iptables rules are setup ( in the same script tha builds the iptables rules)
----------
QUEUE=0
SURICATA=/usr/bin/suricata
SURICATACONFIG=/etc/suricata/suricata.yaml
SURICATA_PID_FILE=/var/run/suricata.pid
$SURICATA -c $SURICATACONFIG -q $QUEUE -D --pidfile $SURICATA_PID_FILE
--------------------
Regarding the stats; below are the stats right after the timestamp I posted originally, and below that are current stats with 4 days of uptime.
I’ll play with turning off anomaly detection. - That’s still my working theory.
Date: 8/19/2022 -- 19:25:13 (uptime: 0d, 00h 05m 41s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 29986
decoder.bytes | Total | 17292214
decoder.ipv4 | Total | 29986
decoder.tcp | Total | 29384
decoder.udp | Total | 602
decoder.avg_pkt_size | Total | 576
decoder.max_pkt_size | Total | 1500
flow.tcp | Total | 323
flow.udp | Total | 465
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 9
stream.fin_but_no_session | Total | 976
stream.rst_but_no_session | Total | 167
flow.wrk.flows_evicted | Total | 25
tcp.sessions | Total | 25
tcp.syn | Total | 64
tcp.synack | Total | 188
tcp.rst | Total | 167
detect.alert | Total | 16486
detect.alerts_suppressed | Total | 9
app_layer.flow.ntp | Total | 3
app_layer.flow.failed_udp | Total | 462
ips.accepted | Total | 28833
ips.blocked | Total | 1152
flow.mgr.full_hash_pass | Total | 2
flow.spare | Total | 9593
flow.mgr.rows_maxlen | Total | 2
flow.mgr.flows_checked | Total | 709
flow.mgr.flows_notimeout | Total | 216
flow.mgr.flows_timeout | Total | 493
flow.mgr.flows_evicted | Total | 493
tcp.memuse | Total | 2424832
tcp.reassembly_memuse | Total | 393216
flow.memuse | Total | 7394304
------------------------------------------------------------------------------------
Date: 8/31/2022 -- 09:15:03 (uptime: 4d, 23h 54m 02s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 75819727
decoder.bytes | Total | 85239790878
decoder.ipv4 | Total | 75819742
decoder.ethernet | Total | 7
decoder.tcp | Total | 27987695
decoder.udp | Total | 47832032
decoder.gre | Total | 15
decoder.avg_pkt_size | Total | 1124
decoder.max_pkt_size | Total | 2215
flow.tcp | Total | 302962
flow.udp | Total | 830303
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 10385
decoder.event.tcp.opt_invalid_len | Total | 8
stream.fin_but_no_session | Total | 1020320
stream.rst_but_no_session | Total | 148213
stream.pkt_broken_ack | Total | 13838
flow.wrk.flows_evicted | Total | 94999
tcp.sessions | Total | 19123
tcp.syn | Total | 27363
tcp.synack | Total | 253629
tcp.rst | Total | 161976
detect.alert | Total | 21847027
detect.alerts_suppressed | Total | 157
app_layer.flow.ntp | Total | 9115
app_layer.tx.ntp | Total | 15
app_layer.flow.tftp | Total | 8
app_layer.tx.tftp | Total | 7
app_layer.flow.ikev2 | Total | 1
app_layer.tx.ikev2 | Total | 1
app_layer.flow.dhcp | Total | 218
app_layer.tx.dhcp | Total | 988
app_layer.flow.sip | Total | 158
app_layer.tx.sip | Total | 158
app_layer.flow.dcerpc_udp | Total | 1
app_layer.flow.dns_udp | Total | 59
app_layer.tx.dns_udp | Total | 63
app_layer.flow.failed_udp | Total | 820743
ips.accepted | Total | 74556704
ips.blocked | Total | 1262887
flow.mgr.full_hash_pass | Total | 1799
flow.spare | Total | 10867
flow.mgr.rows_maxlen | Total | 3
flow.mgr.flows_checked | Total | 1326251
flow.mgr.flows_notimeout | Total | 288172
flow.mgr.flows_timeout | Total | 1038079
flow.mgr.flows_evicted | Total | 1038079
tcp.memuse | Total | 2424832
tcp.reassembly_memuse | Total | 393216
flow.memuse | Total | 7806464