Hello. I have recently started using Suricata 6.0.2 to monitor and log all inbound and outbound SMTP traffic. We have setup the traffic between our DMZ facing SMTP relays and internal smart relays to be unencrypted, and I am able to see all of the SMTP conversations going by on the wire. I have disabled checksum-checks and checksum-validation in the suricata.yaml and run ethtool -K $ADAPTER rx off tx off rxvlan off txvlan off to be sure. There are no capture.kernel.drops in stats, and no errors or drops from ethtool -S $ADAPTER
In my testing, I am sending 10 emails from an external address to my internal address, and I generally log 6 or 7 of them in my eve.log Same thing happens when I send 10 emails from my internal email to an external address. When I capture a pcap at the same time as my tests, I am able to see all of the email in the pcap, but they are not logged. When I read the pcap with all of the traffic with suricata, the same emails are logged.
Just as a test, I shut down Suricata, made no changes to the system, installed Zeek, ran the same 10 email test, and Zeek logged all 10 of them. Reading the previously captured pcap with Zeek logs all 10 emails as well.
I’ve been through the suricata.yaml 100 times and made changes here and there, and nothing made a difference. Does anyone have any ideas where I could start trying to figure this out?