Suricata blowing up /var/log/messages

abwhite · September 29, 2021, 10:55pm

I’m running latest Suricata on CentOS 7, capturing w/ AF-PACKET. All of a sudden Suricata seems to be writing logs to /var/log/messages.

tail /var/log/messages

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230003:1] SURICATA TLS invalid handshake message [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 52.8.126.234:443 → {HOME_NET}:49778

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230010:1] SURICATA TLS invalid record/traffic [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 52.8.126.234:443 → {HOME_NET}:49778

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230003:1] SURICATA TLS invalid handshake message [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 104.244.36.20:443 → {HOME_NET}:55098

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230010:1] SURICATA TLS invalid record/traffic [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 104.244.36.20:443 → {HOME_NET}:55098

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230003:1] SURICATA TLS invalid handshake message [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} {HOME_NET}:55098 → 104.244.36.20:443

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230010:1] SURICATA TLS invalid record/traffic [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} {HOME_NET}:55098 → 104.244.36.20:443

Sep 29 15:47:14 {SURI} snort[6967]: [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [Classification: Unknown Traffic] [Priority: 3] {TCP} {HOME_NET}:4375 → 54.224.241.105:443

Sep 29 15:47:14 {SURI} snort[6967]: [1:2101616:9] GPL DNS named version attempt [Classification: Attempted Information Leak] [Priority: 2] {UDP} 104.244.79.213:58284 → {HOME_NET}:53

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230003:1] SURICATA TLS invalid handshake message [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} {HOME_NET}:63406 → 104.19.223.81:443

Sep 29 15:47:14 {SURI} snort[6967]: [1:2230010:1] SURICATA TLS invalid record/traffic [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} {HOME_NET}:63406 → 104.19.223.81:443

First off, are these entries any different than what is being sent to eve.json? Second, how do I stop Suricata sending anything to /var/log/messages?

Andreas_Herz · November 1, 2021, 7:50pm

What version are you running and how does the config look like?
Also kinda strange that it’s called “snort”?
And yes those events would be seen in eve.json as well if you enabled it.

abwhite · November 2, 2021, 8:07pm

Thanks for the reply Andreas!

Figured it out–syslog output was enabled in suricata.yml and was configured to export events as identity: “snort”.

Topic		Replies	Views
Hunting a spyware and log messages Help suricata	5	814	July 31, 2024
These logs showing any attacks or misconfiguration? Help	3	2649	August 24, 2020
Http.log failed to log all http\s events	7	705	February 21, 2023
Generic Protocol Command Decode Help	13	14119	March 13, 2021
Understanding Stats.log against Syn Flood Attacks Help	7	1148	January 30, 2021

Suricata blowing up /var/log/messages

Related topics