Hello all,
The $subject says it all, basically.
I’ve an instance of Suricata running on a testing host. Suricata is configured to listen an interface (af-packet) which is directly connected to another host that we use when we want to inject testing traffic via tcpreplay.
I’ve noticed that when we were not testing, detect.alert stat was rising:
Date: 1/5/2022 -- 10:28:28 (uptime: 0d, 18h 59m 58s) --------------------------------
capture.kernel_drops: 130 [+ 0]
detect.alert: 12235 [+ 2]
Date: 1/5/2022 -- 10:28:36 (uptime: 0d, 19h 00m 06s) --------------------------------
capture.kernel_drops: 130 [+ 0]
detect.alert: 12236 [+ 1]
I had a look at the counters (listing only the one that have changed between samples):
Counter | 10:28:20 | 10:28:28 | 10:28:36 |
---|---|---|---|
capture.kernel_packets | 19625204 | 19625204 | 19625204 |
detect.alert | 12233 | 12235 | 12236 |
app_layer.flow.tls | 17361 | 17403 | 17423 |
flow_mgr.est_pruned | 23917 | 24314 | 24524 |
flow.spare | 10061 | 10048 | 10024 |
flow_mgr.flows_checked | 170 | 117 | 86 |
flow_mgr.flows_timeout | 117 | 78 | 47 |
flow_mgr.flows_timeout_inuse | 56 | 30 | 23 |
flow_mgr.flows_removed | 61 | 48 | 24 |
flow_mgr.rows_skipped | 65311 | 65387 | 65423 |
flow_mgr.rows_empty | 65 | 36 | 29 |
tcp.memuse | 1450080 | 1356080 | 1281840 |
tcp.reassembly_memuse | 21486508 | 19303540 | 17565292 |
http.memuse | 687984 | 507462 | 506345 |
flow.memuse | 8512424 | 8400576 | 8313000 |
These are the alerts picked - From eve.json
"2022-01-05T10:28:22.000180+0000 | 1:2033055:1 | ET JA3 HASH - Possible Rclone Client Response (Mega Storage) | Potentially Bad Traffic | 1xx.xxx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:26.000448+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:28.000468+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:36.000337+0000 | 1:2027671:5 | ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound | Potential Corporate Privacy Violation | xxx.x.x.x:xxx -> 10.xx.xx.xx:yyyyy"
"2022-01-05T10:30:42.000296+0000 | 1:2028777:2 | ET JA3 Hash - [Abuse.ch] Possible Adware | Unknown Traffic | 1x.xxx.xxx.xxx:yyyyy -> 1xx.xxx.xxx.xxx:443"
But I was not able to figure out why this is happening, hence asking here. Any hint is appreciated.
Thanks!