Suricata running on a test host detected few alerts while there was no traffic on listening port

arcot · January 6, 2022, 1:22pm

Hello all,

The $subject says it all, basically.

I’ve an instance of Suricata running on a testing host. Suricata is configured to listen an interface (af-packet) which is directly connected to another host that we use when we want to inject testing traffic via tcpreplay.

I’ve noticed that when we were not testing, detect.alert stat was rising:

Date: 1/5/2022 -- 10:28:28 (uptime: 0d, 18h 59m 58s) --------------------------------
 capture.kernel_drops:    130                       [+ 0]
 detect.alert:            12235                     [+ 2]
Date: 1/5/2022 -- 10:28:36 (uptime: 0d, 19h 00m 06s) --------------------------------
 capture.kernel_drops:    130                       [+ 0]
 detect.alert:            12236                     [+ 1]

I had a look at the counters (listing only the one that have changed between samples):

Counter	10:28:20	10:28:28	10:28:36
capture.kernel_packets	19625204	19625204	19625204
detect.alert	12233	12235	12236
app_layer.flow.tls	17361	17403	17423
flow_mgr.est_pruned	23917	24314	24524
flow.spare	10061	10048	10024
flow_mgr.flows_checked	170	117	86
flow_mgr.flows_timeout	117	78	47
flow_mgr.flows_timeout_inuse	56	30	23
flow_mgr.flows_removed	61	48	24
flow_mgr.rows_skipped	65311	65387	65423
flow_mgr.rows_empty	65	36	29
tcp.memuse	1450080	1356080	1281840
tcp.reassembly_memuse	21486508	19303540	17565292
http.memuse	687984	507462	506345
flow.memuse	8512424	8400576	8313000

These are the alerts picked - From eve.json

"2022-01-05T10:28:22.000180+0000 | 1:2033055:1 | ET JA3 HASH - Possible Rclone Client Response (Mega Storage) | Potentially Bad Traffic | 1xx.xxx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:26.000448+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:28.000468+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:36.000337+0000 | 1:2027671:5 | ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound | Potential Corporate Privacy Violation | xxx.x.x.x:xxx -> 10.xx.xx.xx:yyyyy"
"2022-01-05T10:30:42.000296+0000 | 1:2028777:2 | ET JA3 Hash - [Abuse.ch] Possible Adware | Unknown Traffic | 1x.xxx.xxx.xxx:yyyyy -> 1xx.xxx.xxx.xxx:443"

But I was not able to figure out why this is happening, hence asking here. Any hint is appreciated.

Thanks!

Jeff_Lucovsky · January 7, 2022, 1:03pm

You seem to be asking how you can get more context for the alerts that are generated. If so, there are a few ways

Logging – Suricata has extensive logging capabilities about the network packets that it inspects. These are controlled in the Suricata configuration file – See the outputs section and then go to the types subsection within it. There, you’ll see alert, anomaly, and application layer protocols and such – enabled: yes is the default for almost all of them.

Alerts – alerts can contain additional contextual information – in the output.types section see alert and enable some of the payload/packet fields to include portions of the network stream.

Topic		Replies	Views
Weird result when comparing Suricata detections with snort (using same traffic) - what am I missing? Help	4	785	December 13, 2021
Testing ping alert rule Rules suricata	5	3236	July 27, 2022
Rules for 2 public IPs? Rules	1	1001	July 17, 2020
Suricata 6.0.0 not logging the same alert as 4.1.4 Help	5	477	May 26, 2021
Decode.pkts counted all the received pkts? Help	8	649	August 20, 2020

Suricata running on a test host detected few alerts while there was no traffic on listening port

Related Topics