Suricata cannot parse tls/http traffice

I am using Suricata to extract information like sni, hostname/domain from HTTP, and TLS using eve-log. First, I run Suricata to capture traffic on a device interface but receive nothing. I use tcpdump to capture traffic on that device interface and write traffic to pcap. I open that pcap file on Wireshark and Zeek, both of them can give me the sni, domain information.

• Suricata version: 7.0.2
• Operating system: test on Centos 7, Ubuntu 22.04
• How you installed Suricata: Installed from source and package management (apt, yum)

Here is my suricata.yaml file
suricata.yaml (76.8 KB)

Here is my pcap file
serverpcap.pcap (949.8 KB)

Here is stats.log

Counter | TM Name | Value

decoder.pkts | Total | 4561
decoder.bytes | Total | 899562
decoder.ipv4 | Total | 3868
decoder.ethernet | Total | 4561
decoder.unknown_ethertype | Total | 693
decoder.tcp | Total | 3399
tcp.syn | Total | 115
tcp.rst | Total | 74
decoder.udp | Total | 463
decoder.icmpv4 | Total | 6
decoder.vlan | Total | 3868
decoder.avg_pkt_size | Total | 197
decoder.max_pkt_size | Total | 1402
flow.total | Total | 361
flow.tcp | Total | 143
flow.udp | Total | 218
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 4
flow.wrk.flows_evicted_needs_work | Total | 115
flow.wrk.flows_evicted_pkt_inject | Total | 115
flow.wrk.flows_evicted | Total | 1
flow.wrk.flows_injected | Total | 115
tcp.sessions | Total | 115
tcp.ssn_from_pool | Total | 115
detect.alert | Total | 4
app_layer.flow.quic | Total | 24
app_layer.tx.quic | Total | 22
app_layer.flow.dns_udp | Total | 194
app_layer.tx.dns_udp | Total | 194
flow.end.state.new | Total | 361
flow.end.tcp_state.syn_sent | Total | 115
flow.mgr.rows_per_sec | Total | 6553
flow.spare | Total | 9900
memcap_pressure | Total | 5
memcap_pressure_max | Total | 5
flow.recycler.recycled | Total | 245
flow.recycler.queue_avg | Total | 2
flow.recycler.queue_max | Total | 75
tcp.memuse | Total | 606208
tcp.reassembly_memuse | Total | 114688
flow.memuse | Total | 7154304

Please help!!

How do you run Suricata exactly?

Also the pcap you provided has QUIC in it but no HTTP, so this explains missing HTTP infos. You should at least see some DNS, QUIC and FLOW event type in the EVE Json.

Why the TLS part is not recognized would need a bit more investigation.

Hi, thanks for your reply.
I run Suricata on the server by this command:
sudo /usr/loca/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eno49

And for pcap I run this command
sudo /usr/local/bin/suricata -r serverpcap.pcap --runmode single -c /usr/local/etc/suricata/suricata.yaml

If you set “–set stream.midstream=true” you will also see the TLS events. It seems your pcap is not complete, for example if you look into wireshark on “tcp.stream eq 0” you see that only one direction is seen. You need to make sure that the complete connection/flow is seen by Suricata and especially both sides and not just one direction.

My server only mirrors 1 side of the traffic from the user to the internet. How can I config Suricata to capture SNI from TLS?

I would try to fix that first, since you will always have broken input.
You can set the midstream pickup option and also the async-oneside option to true, but there is no guarantee that it will work all the time.

Thank you very much. I’ll give it a try.

Hi @Andreas_Herz, does suricata have any improvement on this problem?

Did you try my suggestion? As I said I would fix the traffic mirroring first

I did try your suggestion. It has a few improvement but still not good enough. For the mirror traffic, it is from only one direction, and that cannot be changed.

In that case you have to live with the limitation, if parts of the traffic is missing we can’t magically make them appear