Suricata not detecting anything?

jimoe · September 23, 2025, 5:33pm

Suricata 8.0.1
opensuse tumbleweed 0250918
linux v6.16.7-1-default x86_64
Installation: make, make install
AMD Ryzen 5 5600X × 12
32 GB RAM

The suricata installation on this host has never been vary active. It was not unusual for 2-3 days between detection events. Since installing 8.0.0, then 8.0.1, there have been not one detection since 2025-08-11. The same installation on other hosts have detected events normally.

Is there a simple, quick test to verify suricata is actually working?

Some status information:

2025-09-23T10:17:02: User [root]. Command [status]. Python 3.13.7
This is Suricata version 8.0.1 RELEASE
-A INPUT -j NFQUEUE --queue-num 0 --queue-bypass
-A OUTPUT -j NFQUEUE --queue-num 0 --queue-bypass

Chain INPUT (policy ACCEPT 293 packets, 58587 bytes)
num   pkts bytes target  prot opt in  out source     destination
1    4567K 4257M NFQUEUE all  –   *   *   0.0.0.0/0  0.0.0.0/0 NFQUEUE num 0 bypass
Number of reject IPs in iptables: 0
Running. PID [11113]
Suricata uptime [2.9 day]

ish · September 23, 2025, 5:36pm

What about non-detection events? http, dns, and flow are usually pretty frequent.

jimoe · September 23, 2025, 5:38pm

Nothing in fast.log. Is there another file that shows detections?

ish · September 23, 2025, 5:43pm

Not detections, but the eve.json has all the transactions logs. Along with stats records that can tell you what Suricata is seeing. Alternatively stats.log.

jimoe · September 23, 2025, 6:02pm

Here is the recent Stats entry;

Date: 9/23/2025 -- 10:58:15 (uptime: 3d, 00h 30m 09s)
Counter                                     | TM Name                   | Value
ips.accepted                                | Total                     | 37826241
ips.blocked                                 | Total                     | 5097
ips.drop_reason.flow_drop                   | Total                     | 1230
ips.drop_reason.applayer_error              | Total                     | 2034
ips.drop_reason.stream_error                | Total                     | 1819
ips.drop_reason.stream_midstream            | Total                     | 14
decoder.pkts                                | Total                     | 37831338
decoder.bytes                               | Total                     | 51073817097
decoder.ipv4                                | Total                     | 37831338
decoder.ipv6                                | Total                     | 1
decoder.tcp                                 | Total                     | 37470000
tcp.syn                                     | Total                     | 12986
tcp.synack                                  | Total                     | 12950
tcp.rst                                     | Total                     | 9480
decoder.udp                                 | Total                     | 350685
decoder.icmpv4                              | Total                     | 46
decoder.teredo                              | Total                     | 1
decoder.avg_pkt_size                        | Total                     | 1350
decoder.max_pkt_size                        | Total                     | 6246
tcp.active_sessions                         | Total                     | 70
flow.total                                  | Total                     | 37336
flow.active                                 | Total                     | 71
flow.tcp                                    | Total                     | 12972
flow.udp                                    | Total                     | 24364
flow.wrk.spare_sync_avg                     | Total                     | 99
flow.wrk.spare_sync                         | Total                     | 256
flow.wrk.spare_sync_incomplete              | Total                     | 23
decoder.event.ipv4.opt_pad_required         | Total                     | 10232
decoder.event.ipv6.unknown_next_header      | Total                     | 1
flow.wrk.flows_evicted_needs_work           | Total                     | 11872
flow.wrk.flows_evicted_pkt_inject           | Total                     | 12333
flow.wrk.flows_evicted                      | Total                     | 421
flow.wrk.flows_injected                     | Total                     | 11871
flow.wrk.flows_injected_max                 | Total                     | 1
tcp.sessions                                | Total                     | 12946
tcp.ssn_from_cache                          | Total                     | 11834
tcp.ssn_from_pool                           | Total                     | 1112
tcp.pseudo                                  | Total                     | 36
exception_policy.tcp.midstream.drop_flow    | Total                     | 14
tcp.segment_from_cache                      | Total                     | 723413
tcp.segment_from_pool                       | Total                     | 12331
tcp.stream_depth_reached                    | Total                     | 108
tcp.overlap                                 | Total                     | 4091
detect.alerts_suppressed                    | Total                     | 5
exception_policy.app_layer.error.drop_flow  | Total                     | 2034
app_layer.flow.failed_tcp                   | Total                     | 201
app_layer.flow.http                         | Total                     | 704
app_layer.tx.http                           | Total                     | 3651
app_layer.flow.smtp                         | Total                     | 13
app_layer.tx.smtp                           | Total                     | 13
app_layer.flow.tls                          | Total                     | 11594
app_layer.error.tls.parser                  | Total                     | 1
app_layer.flow.ssh                          | Total                     | 2
app_layer.flow.imap                         | Total                     | 241
app_layer.flow.dns_tcp                      | Total                     | 3
app_layer.tx.dns_tcp                        | Total                     | 8
app_layer.flow.quic                         | Total                     | 1037
app_layer.tx.quic                           | Total                     | 6475
app_layer.error.quic.parser                 | Total                     | 3
app_layer.flow.mdns                         | Total                     | 10478
app_layer.tx.mdns                           | Total                     | 47749
app_layer.flow.snmp                         | Total                     | 1
app_layer.tx.snmp                           | Total                     | 2
app_layer.flow.failed_udp                   | Total                     | 10809
app_layer.flow.dns_udp                      | Total                     | 9
app_layer.tx.dns_udp                        | Total                     | 18
app_layer.flow.sip_udp                      | Total                     | 2030
app_layer.error.sip_udp.parser              | Total                     | 2030
flow.end.state.new                          | Total                     | 23094
flow.end.state.established                  | Total                     | 1300
flow.end.state.closed                       | Total                     | 12871
flow.end.tcp_state.syn_sent                 | Total                     | 2
flow.end.tcp_state.established              | Total                     | 2
flow.end.tcp_state.time_wait                | Total                     | 15
flow.end.tcp_state.last_ack                 | Total                     | 237
flow.end.tcp_state.close_wait               | Total                     | 1
flow.end.tcp_state.closed                   | Total                     | 12619
flow.mgr.full_hash_pass                     | Total                     | 28884
flow.mgr.rows_per_sec                       | Total                     | 7208
flow.spare                                  | Total                     | 10504
flow.mgr.rows_maxlen                        | Total                     | 2
flow.mgr.flows_checked                      | Total                     | 101800
flow.mgr.flows_notimeout                    | Total                     | 64952
flow.mgr.flows_timeout                      | Total                     | 36848
flow.mgr.flows_evicted                      | Total                     | 36848
flow.mgr.flows_evicted_needs_work           | Total                     | 11871
memcap.pressure                             | Total                     | 11
memcap.pressure_max                         | Total                     | 11
defrag.memuse                               | Total                     | 33554432
flow.recycler.recycled                      | Total                     | 24977
flow.recycler.queue_max                     | Total                     | 5
tcp.memuse                                  | Total                     | 7471104
tcp.reassembly_memuse                       | Total                     | 1869824
http.memuse                                 | Total                     | 1680
http.byterange.memuse                       | Total                     | 168384
http.byterange.memcap                       | Total                     | 104857600
ippair.memuse                               | Total                     | 398144
ippair.memcap                               | Total                     | 16777216
host.memuse                                 | Total                     | 382144
host.memcap                                 | Total                     | 33554432
flow.memuse                                 | Total                     | 7479904

jimoe · September 25, 2025, 8:41pm

jimoe:

ips.accepted                       | Total  | 37826241
ips.blocked                        | Total  | 5097
ips.drop_reason.flow_drop          | Total  | 1230
ips.drop_reason.applayer_error     | Total  | 2034
ips.drop_reason.stream_error       | Total  | 1819
ips.drop_reason.stream_midstream   | Total  | 14

I presume these stats indicate matched rules. If so, why is it not noted in fast.log?

jimoe · September 25, 2025, 8:43pm

And the JSON entries are quite hard to read.

jufajardini · September 26, 2025, 1:11pm

JSON entries have differents events. As Jason pointed out, events like:

flow
tls
alert
drop
http
dns
stats

Can show more of what is happening.

Not all ips.blocked stats mean a rule was matched.

From the stats.log that you have shared, I’ve noticed a couple of things:
Suricata is seen midstream traffic, and is dropping associated flows:
exception_policy.tcp.midstream.drop_flow | Total | 14
There are also drops related to app layer errors:
exception_policy.app_layer.error.drop_flow | Total | 2034

This could lead to higher ips.blocked | Total | 5097
without necessarily these being connected to an alert that would show up in fast.log.

This post sheds some light on chasing issues related to exception policies: My traffic gets blocked after upgrading to Suricata 7

Do you have drop enabled for your EVE log? might help figure out what’s going on.

This isn’t perfect, but has a few commands for using jq with the EVE logs: JQ cheat sheet for parsing Suricata EVE outputs

jimoe · September 27, 2025, 10:39pm

I reverted to v7.0.10.

A new alert happened within a day.

jufajardini · September 29, 2025, 12:31pm

Thanks for indicating that.

We try to list all upgrading notes in our docs, but I couldn’t find something that would directly impact getting no alerts.
The 8 family is still new, so maybe there is a hidden bug, or some configuration change that missed going into the upgrade notes.

If you notice anything again, we’d appreciate more feedback.

ish · September 29, 2025, 2:25pm

Do you have a reliable test trigger? Something that you can initiate that generates an alert? Even as simple as http://testmyids.org or something. If not, I recommend something like that. It can save time instead of waiting for an alert.