Surcata5.0.2 When rules match，log file have no information

liqingjia · April 23, 2020, 8:05am

I test a rule ：alert tcp any any -> any any (msg:“Test”;content:“123456789”;sid:85304356;rev:8;)
I use scapy send a packet：sport=48000，dport=48017，data=“123456789”
but I have not find a alert in eve-log.json
I only find :{“timestamp”:“2020-04-23T15:25:55.000993+0800”,“flow_id”:1902632979721996,“in_iface”:“ens33”,“event_type”:“flow”,“src_ip”:“192.168.0.27”,“src_port”:48000,“dest_ip”:“192.168.0.120”,“dest_port”:48017,“proto”:“UDP”,“app_proto”:“failed”,“flow”:{“pkts_toserver”:1,“pkts_toclient”:0,“bytes_toserver”:60,“bytes_toclient”:0,“start”:“2020-04-23T15:25:24.716556+0800”,“end”:“2020-04-23T15:25:24.716556+0800”,“age”:0,“state”:“new”,“reason”:“timeout”,“alerted”:false}}

alerted:false reason:timeout ?
why have not alert event_type ?could you help ?

sbhardwaj · April 23, 2020, 8:14am

Hi @liqingjia!
Could the proto: UDP in the logs be an indicator of something? You’re telling Suricata to alert on TCP packets. Are you defining protocol as TCP for the packet that you are sending using Scapy?

liqingjia · April 23, 2020, 8:38am

I forget this.
I change UDP to TCP and I find an alert event_type.
Thank you.

Topic		Replies	Views
Eve.json only shows "event_type":"flow" Help	7	1595	October 22, 2020
I can only see the first alert of a rule Help	2	1855	December 15, 2020
Suricata Sending Request & Response Bodies in multiple events due to alert rule Rules rules , suricata	3	275	April 25, 2024
How to make suricata alert per packet when it is matched Rules	3	1509	March 22, 2022
Question on alert direction in suricata-verify Developers	2	434	February 5, 2021

Surcata5.0.2 When rules match，log file have no information

Related topics