Suricata missing some SMTP traffic

Hello. I have recently started using Suricata 6.0.2 to monitor and log all inbound and outbound SMTP traffic. We have setup the traffic between our DMZ facing SMTP relays and internal smart relays to be unencrypted, and I am able to see all of the SMTP conversations going by on the wire. I have disabled checksum-checks and checksum-validation in the suricata.yaml and run ethtool -K $ADAPTER rx off tx off rxvlan off txvlan off to be sure. There are no capture.kernel.drops in stats, and no errors or drops from ethtool -S $ADAPTER

In my testing, I am sending 10 emails from an external address to my internal address, and I generally log 6 or 7 of them in my eve.log Same thing happens when I send 10 emails from my internal email to an external address. When I capture a pcap at the same time as my tests, I am able to see all of the email in the pcap, but they are not logged. When I read the pcap with all of the traffic with suricata, the same emails are logged.

Just as a test, I shut down Suricata, made no changes to the system, installed Zeek, ran the same 10 email test, and Zeek logged all 10 of them. Reading the previously captured pcap with Zeek logs all 10 emails as well.

I’ve been through the suricata.yaml 100 times and made changes here and there, and nothing made a difference. Does anyone have any ideas where I could start trying to figure this out?


How do you do the replay test - tcpreplay, then stop suricata, then inventory the logs?

No, with suricata -r

Ok so different runs with -r give you different results?

No, suricata -r of the pcap that has all of the expected SMTP traffic in it gives the same result as logging the traffic from the wire. Some of the conversations get logged, some don’t.

Ok when you do the live test , do you keep replaying other traffic in or it is just the live test, then stop Suricata? (It might be when you stop Suricata some flows get flushed and you can have additional logs/records)

No, when I do the live test, it’s just traffic from the wire. I typically don’t stop Suricata immediately after sending the test messages. I generally send the messages while doing a tail -f |grep myemail eve.json on the sensor. When I receive all of the messages on the other side, I go through the headers of them all to look for anything out of whack, and then check my SIEM to verify that what’s there is the same as what I saw from the eve.json. Then I repeat the test from the other side, and do the same.

Could you forge that pcap so it would be okay to share it with us?

Is the output for such a pcap the same for each run or does it vary on the same pcap?

Hey Andreas, let me run that past my team lead to be sure.

Yes, the output for that pcap is the same every time. Some email is logged, some is not. Always the same ones.