Suricata not recognising packets, but tshark does

Help
1

Hello, I am trying to make suricata run on a raspberry pi 4. I have downloaded and installed suricata, and have added a custom rule which detects when any ICMP packet enters the network.

alert icmp any any -> any any (msg: "ICMP Packet found";)

I then sent ICMP packets across my network, the network is set up so that the raspberry pi monitors all traffic on the network.

When I sent 500 ICMP packets, suricata did not pick them up (the console said that only 2 packets had been captured) , however when I repeated the test using tshark, tshark was able to capture the packets. I am confused as to why Suricata is not picking the packets up, yet tshark is.

2

This is a known issue – see https://redmine.openinfosecfoundation.org/issues/2928

Try these rules (to match icmp echoes and replies)

alert icmp any any -> any any (itype: 0; sid:1;)
alert icmp any any -> any any (itype: 8; sid:2;)
3

Unfortunately, nothing change when adding these rules.

I sent 500 ICMP packets to on the network. The pi only picked up 24.

4

The fast.log is not being populated.

5

Strange, the amount of packets being detected is diffrent between the cli and the stats.log

------------------------------------------------------------------------------------
Date: 6/10/2020 -- 09:37:56 (uptime: 0d, 00h 17m 55s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                     | Total                     | 2878
decoder.pkts                               | Total                     | 2878
decoder.bytes                              | Total                     | 239250
decoder.ipv4                               | Total                     | 2794
decoder.ipv6                               | Total                     | 84
decoder.ethernet                           | Total                     | 2878
decoder.tcp                                | Total                     | 680
decoder.udp                                | Total                     | 188
decoder.icmpv4                             | Total                     | 2000
decoder.icmpv6                             | Total                     | 5
decoder.avg_pkt_size                       | Total                     | 83
decoder.max_pkt_size                       | Total                     | 1314
flow.tcp                                   | Total                     | 120
flow.udp                                   | Total                     | 64
flow.icmpv4                                | Total                     | 2
flow.icmpv6                                | Total                     | 1
decoder.ipv4.opt_pad_required              | Total                     | 5
decoder.ipv6.zero_len_padn                 | Total                     | 5
tcp.synack                                 | Total                     | 118
tcp.rst                                    | Total                     | 2
app_layer.flow.dhcp                        | Total                     | 3
app_layer.tx.dhcp                          | Total                     | 6
app_layer.flow.failed_udp                  | Total                     | 61
flow_mgr.new_pruned                        | Total                     | 115
flow_mgr.est_pruned                        | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 4
flow_mgr.flows_notimeout                   | Total                     | 4
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65532
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 2031616
tcp.reassembly_memuse                      | Total                     | 294912
flow.memuse                                | Total                     | 6611344

image
image1384×64 5.26 KB

I was reviewing troubleshooting methods from my last post and when I run
ls -ld

I get the error
-bash: syntax error near unexpected token newline’`

6

Let’s try the following

  • Stop Suricata
  • Remove fast.log
  • Start Suricata
  • Replay/Send ICMP packets
  • Stop Suricata and note the packet processed value it reports
  • Compare (from fast.log) capture.kernel_packets, decoder.pkts, decoder.ethernet, decoder.icmpv4 (or icmpv6)

Also,

  • Does you pi have 2 interfaces? (wired and wireless)
  • Where are you running tshark from – the pi?
7

Stoped Suricata
Ran sudo rm /var/log/suricata/fast.log
Ran sudo suricata -i eth0
Replayed the ICMP packets.
Suricata notes 2 packets recorded
fast.log created, but nothing recorded (empty file).

Terminal Output

10/6/2020 -- 13:26:12 - <Notice> - This is Suricata version 4.1.2 RELEASE
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 4 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 11 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
10/6/2020 -- 13:26:14 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
10/6/2020 -- 13:26:22 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
10/6/2020 -- 13:30:59 - <Notice> - This is Suricata version 4.1.2 RELEASE
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 4 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 11 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
10/6/2020 -- 13:31:01 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
10/6/2020 -- 13:31:09 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
10/6/2020 -- 13:31:23 - <Notice> - Signal Received.  Stopping engine.
10/6/2020 -- 13:31:25 - <Notice> - Stats for 'eth0':  pkts: 2, drop: 0 (0.00%), invalid chksum: 0

Stats.log
Date: 6/10/2020 – 13:33:58 (uptime: 0d, 00h 07m 46s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 2161
decoder.pkts | Total | 2161
decoder.bytes | Total | 151738
decoder.ipv4 | Total | 2119
decoder.ipv6 | Total | 42
decoder.ethernet | Total | 2161
decoder.udp | Total | 142
decoder.icmpv4 | Total | 2000
decoder.icmpv6 | Total | 14
decoder.avg_pkt_size | Total | 70
decoder.max_pkt_size | Total | 385
flow.udp | Total | 36
flow.icmpv4 | Total | 1
flow.icmpv6 | Total | 4
decoder.ipv4.opt_pad_required | Total | 5
decoder.ipv6.zero_len_padn | Total | 10
app_layer.flow.dhcp | Total | 6
app_layer.tx.dhcp | Total | 32
app_layer.flow.failed_udp | Total | 30
flow_mgr.new_pruned | Total | 36
flow_mgr.est_pruned | Total | 2
flow.spare | Total | 10000
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65536
tcp.memuse | Total | 2031616
tcp.reassembly_memuse | Total | 294912
flow.memuse | Total | 6595024

The pi does have two interfaces, a wlan0 and a eth0, that is why I specify eth0 in my suricata running.
I run tshark on the pi. I run it using sudo tshark in the user folder. By default tshark uses the eth0 interface.

8

The values from stats.log show 2161 packets were received (capture.kernel_packets) and that all of those were processed (decoder.ethernet).

You’re using ET rules – did you add the rules I listed earlier into that rule file?

What command line are you using to invoke Suricata?

9

I did add those rules.

I am using Putty to connect to the pi, and using that terminal window to run suricata.

10

Ok. I’m not sure why 4.1.2 is reporting 2 packets as we can see from stats.log many more are being processed.

Can you upgrade to 4.1.8?

11

What is the command to do that?

12 
suricata-update
-bash: suricata-update: command not found
13 
sudo apt-get upgrade suricata
Reading package lists... Done
Building dependency tree
Reading state information... Done
suricata is already the newest version (1:4.1.2-2).
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  rpi-eeprom-images
Use 'sudo apt autoremove' to remove it.
The following packages have been kept back:
  python-rpi.gpio
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
14

Try using the ubuntu ppa
https://suricata.readthedocs.io/en/latest/install.html#ubuntu

15

Hello? suricata is already the newest version (1:4.1.2-2).

16

Thanks for your help, but I get this error: sudo: add-apt-repository: command not found

17
18

Sorry I get an error on that aswell. When I enter sudo add-apt-repository ppa:pj-assis/ppa
I get this error
aptsources.distro.NoDistroTemplateException: Error: could not find a distributio n template for Raspbian/buster. I don’t think I need to redownload suricata

19

Hi! Could you please tell how did you install the Suricata package that you are currently running?

21

I installed suricata by doing sudo apt-get install suricata