Suricata running on a test host detected few alerts while there was no traffic on listening port

Help
1

Hello all,

The $subject says it all, basically.

I’ve an instance of Suricata running on a testing host. Suricata is configured to listen an interface (af-packet) which is directly connected to another host that we use when we want to inject testing traffic via tcpreplay.

I’ve noticed that when we were not testing, detect.alert stat was rising:

Date: 1/5/2022 -- 10:28:28 (uptime: 0d, 18h 59m 58s) --------------------------------
 capture.kernel_drops:    130                       [+ 0]
 detect.alert:            12235                     [+ 2]
Date: 1/5/2022 -- 10:28:36 (uptime: 0d, 19h 00m 06s) --------------------------------
 capture.kernel_drops:    130                       [+ 0]
 detect.alert:            12236                     [+ 1]

I had a look at the counters (listing only the one that have changed between samples):

Counter 10:28:20 10:28:28 10:28:36
capture.kernel_packets 19625204 19625204 19625204
detect.alert 12233 12235 12236
app_layer.flow.tls 17361 17403 17423
flow_mgr.est_pruned 23917 24314 24524
flow.spare 10061 10048 10024
flow_mgr.flows_checked 170 117 86
flow_mgr.flows_timeout 117 78 47
flow_mgr.flows_timeout_inuse 56 30 23
flow_mgr.flows_removed 61 48 24
flow_mgr.rows_skipped 65311 65387 65423
flow_mgr.rows_empty 65 36 29
tcp.memuse 1450080 1356080 1281840
tcp.reassembly_memuse 21486508 19303540 17565292
http.memuse 687984 507462 506345
flow.memuse 8512424 8400576 8313000

These are the alerts picked - From eve.json

"2022-01-05T10:28:22.000180+0000 | 1:2033055:1 | ET JA3 HASH - Possible Rclone Client Response (Mega Storage) | Potentially Bad Traffic | 1xx.xxx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:26.000448+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:28.000468+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy"
"2022-01-05T10:28:36.000337+0000 | 1:2027671:5 | ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound | Potential Corporate Privacy Violation | xxx.x.x.x:xxx -> 10.xx.xx.xx:yyyyy"
"2022-01-05T10:30:42.000296+0000 | 1:2028777:2 | ET JA3 Hash - [Abuse.ch] Possible Adware | Unknown Traffic | 1x.xxx.xxx.xxx:yyyyy -> 1xx.xxx.xxx.xxx:443"

But I was not able to figure out why this is happening, hence asking here. Any hint is appreciated.

Thanks!

2

You seem to be asking how you can get more context for the alerts that are generated. If so, there are a few ways

Logging – Suricata has extensive logging capabilities about the network packets that it inspects. These are controlled in the Suricata configuration file – See the outputs section and then go to the types subsection within it. There, you’ll see alert, anomaly, and application layer protocols and such – enabled: yes is the default for almost all of them.

Alerts – alerts can contain additional contextual information – in the output.types section see alert and enable some of the payload/packet fields to include portions of the network stream.

1 Like