Suricata 6.0.9 on Ubuntu 22.04 not getting traffic at all

Hi,

Im currently having some problems with a fresh installation of Ubuntu 22.04.1 LTS and Suricata 6.0.9. I installed everything from scratch, with two network interfaces, one for management and one with a port mirror from a switch. This setup was working before on Ubuntu 18 and an older version of Suricata.

My problem is that im not getting alerts on the fast.log file and the eve.json seems to only be getting UDP packets. I checked suricata-start.log and suricata.log but found no errors.

Only getting this type of events on eve.json:

imagen1920×472 190 KB

I googled a lot, watched youtube videos and now im stuck.

Ubuntu and suricata versions:

imagen916×247 68.6 KB

Checking the suricata.yaml file output:

imagen1810×287 134 KB

Service status:

imagen1212×311 95.6 KB

My network configuration (eth0 management, eth1 pormirror:

imagen947×319 104 KB

I attached my suricata.yaml and my eve.json file.
eve.json (611.4 KB)
suricata.yaml (73.1 KB)

Can you post the suricata.log file?

Hi, there you have them. Thanks!

Last time starting it was 10/12/2022, heres the status of the service right now

imagen1191×303 94.2 KB

Also, the only file I modified is the suricata.yaml file, do I have to set the interfaces somewhere else with 6.0.9?

suricata.log (497.6 KB)
suricata-start.log (1.5 KB)

This looks fine … very early in the suricata.log there weren’t any rule files but that was corrected on 10 December.

Can you post the stats.log file?

Hi Jeff,

I got some alerts on the fast.log, but only some ipv6 related thing…

imagen1920×784 254 KB

I had to cut the stat.log file, it weights 120mb, it seems its always the same very few seconds.

stats.log (182.7 KB)

I dont know what else check…

Thanks!

The stats show a few anomalies

• decoder.pkts is the packet count received by Suricata – ~14M
• The summation of decoder.ipv4, ipv6, ethernet, icmpv6, and teredo are far less than 14M.

There are a significant number of packets not accounted for.

Is it possible to get a partial pcap for further investigation?

If so, you can post here or DM. Please don’t share publicly unless it’s ok to do so.

Hi, I just sent you the file.

Thanks!

Thanks for the pcap.

There are 1000 packets:

• 576 ARP packets (not processed by Suricata yet)
• 181 packets with an unknown ether-type (not processed by suricata)
• 80 IPv6 packets
• 163 IPv4 packets

Ther are

• 190 UDP packets – includes DHCP as well as protocols not processed by Suricata yet
• 48 ICMP v6 packets

Your pcap generates many flow records (as it should) but the rules I used (ETPro) don’t apply to the input stream.

Hi,

Im not an expert on suricata nor linux, but do you think that there could be something wrong with my configuration or the way operation system is configured?

Shouldnt something be in the 163 IPv4 packets, something that could trigger an alert with ET/free or at least something on the eve.json that is not UDP traffic?

What could be the next steps to try to identify the problem?

Thanks!

The UDP protocols include DHCP (Suricata will process/analyze these) and other protocols not processed by Suricata.

At this point, I’d suggest looking at the port mirror infra to see if it’s mirroring the expected traffic which I presume is your intranet in an East/West (wholly within your intranet) or North/South (intranet <-> internet) or a combination thereof.

I’ll check the port mirror on the switch and the whole configuration and the whole configuration of the hyperv system and mirror network on the hyperv.

The port mirror configuration had beed working for quite some time, its a full mirror of a switch to a single port, that its connected to a dedicated network interface on a hyperv server.

I’ll post if I find something.

Thanks!

So, finally fixed it. The problem was on the port mirror configuration in the vmware and hyperv network configurations.

Followed this for VMWare:
https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/vmware/getting-traffic-from-physical-network-vmware.htm

And this for HyperV:
https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/hyperv/getting-traffic-from-physical-network-hyper-v.htm

Thank for all the help Jeff.