Hello,
What is the usage of drop.log
file? Is it about the attempts that blocked by Suricata-IDS?
Thank you.
Hello,
What is the usage of drop.log
file? Is it about the attempts that blocked by Suricata-IDS?
Thank you.
Drop.log uses a format that is similar to the IPtatbles log and isn’t particular useful on its own other than letting you know that something was dropped. In fact we have removed this output from Suricata 6.0.0, but you can still get the same information via “drop” event types in the eve.json
.
However, the alerts in eve.json
may be more useful. For example:
{
"timestamp": "2020-03-26T15:02:06.046681+0000",
"flow_id": 746850855319537,
"pcap_cnt": 103,
"event_type": "alert",
"src_ip": "192.168.1.210",
"src_port": 80,
"dest_ip": "192.168.1.100",
"dest_port": 35820,
"proto": "TCP",
"tx_id": 0,
"alert": {
"action": "blocked",
"gid": 1,
"signature_id": 2,
"rev": 2,
"signature": "Malicious file detected",
Here you can see under the alert action that the it was blocked
. If this was not an alert rule, or you are not running in IPS mode the action would be allowed
.
Is you mean eve.json
file?
{"timestamp":"2020-10-14T17:33:14.000111+0330","flow_id":1374164132955822,"event_type":"flow","src_ip":"172.20.2.31","src_port":57672,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":53,"bytes_toclient":0,"start":"2020-10-14T17:32:42.657070+0330","end":"2020-10-14T17:32:42.657070+0330","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2020-10-14T17:33:14.000212+0330","flow_id":249844772156887,"event_type":"flow","src_ip":"104.248.145.254","src_port":57042,"dest_ip":"172.20.100.63","dest_port":21004,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":40,"bytes_toclient":68,"start":"2020-10-14T17:32:12.636375+0330","end":"2020-10-14T17:32:12.636595+0330","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
I got an error:
# suricata -T
14/10/2020 -- 17:35:21 - <Info> - Running suricata under test mode
14/10/2020 -- 17:35:21 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
14/10/2020 -- 17:35:21 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - The drop log has been deprecated and will be removed by June 2020. Please use eve-log.
14/10/2020 -- 17:35:28 - <Notice> - Configuration provided was successfully loaded. Exiting.
Yes, this is the eve log I was referring to. Its a single file with all event types in it. You’ll find alerts in there as well. You can trim down the types of logs you want to see in the configuration file.
This is just a warning that the “drop.log” feature has been deprecated and will be removed. As mentioned it has been removed in the most recent release, 6.0.0.
Thank you.
In which parts of configuration file I can define the log about blocked attacks attempts?
Under the eve-log configuration you can enable to drop events. They are disabled by default, I’m going to guess its that way as you can also see the blocked attacks in the alert events. But if you want to enable it, you can.
Thank you.
I enabled below option:
- drop:
alerts: yes # log alerts that caused drops
And after it, I got below error:
# suricata-update
15/10/2020 -- 11:13:07 - <Info> -- Using data-directory /var/lib/suricata.
15/10/2020 -- 11:13:07 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
15/10/2020 -- 11:13:07 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
15/10/2020 -- 11:13:07 - <Info> -- Found Suricata version 5.0.3 at /sbin/suricata.
15/10/2020 -- 11:13:07 - <Info> -- Loading /etc/suricata/drop.conf.
15/10/2020 -- 11:13:07 - <Info> -- Loading /etc/suricata/suricata.yaml
15/10/2020 -- 11:13:07 - <Info> -- Disabling rules for protocol modbus
15/10/2020 -- 11:13:07 - <Info> -- Disabling rules for protocol dnp3
15/10/2020 -- 11:13:07 - <Info> -- Disabling rules for protocol enip
15/10/2020 -- 11:13:07 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.md5.
15/10/2020 -- 11:13:09 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
100% - 2723936/2723936
15/10/2020 -- 11:13:11 - <Info> -- Done.
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
15/10/2020 -- 11:13:11 - <Info> -- Ignoring file rules/emerging-deleted.rules
15/10/2020 -- 11:13:14 - <Info> -- Loaded 28083 rules.
15/10/2020 -- 11:13:19 - <Info> -- Disabled 14 rules.
15/10/2020 -- 11:13:19 - <Info> -- Enabled 0 rules.
15/10/2020 -- 11:13:19 - <Info> -- Modified 0 rules.
15/10/2020 -- 11:13:19 - <Info> -- Dropped 6851 rules.
15/10/2020 -- 11:13:19 - <Info> -- Enabled 145 rules for flowbit dependencies.
15/10/2020 -- 11:13:19 - <Info> -- Backing up current rules.
15/10/2020 -- 11:13:22 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 28083; enabled: 21075; added: 16; removed 0; modified: 1300
15/10/2020 -- 11:13:23 - <Info> -- Testing with suricata -T.
15/10/2020 -- 11:13:23 - <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - The drop log has been deprecated and will be removed by June 2020. Please use eve-log.
15/10/2020 -- 11:13:23 - <Error> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - only one 'drop' logger can be enabled
15/10/2020 -- 11:13:23 - <Error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module "drop": setup failed
15/10/2020 -- 11:13:23 - <Error> -- Suricata test failed, aborting.
15/10/2020 -- 11:13:23 - <Error> -- Restoring previous rules.
Then I disabled below option:
# deprecated a line based information for dropped packets in IPS mode
# - drop:
# enabled: yes
# further options documented at:
# https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-$
After it, I never got above error. Is it OK? What is the usage of above “drop” option?
No real advantage. We dropped the standalone “drop.log” as it can also exist in eve. As eve is the “new” logger, we’re deprecating over time other outputs that it replaces. Its been disabled by default for a while, with a note about its deprecation.
When I disabled the second drop option then I can see that Suricata-IDS writing in “drop.log” file.
Is everything OK about my drop log option?
Yes, looks fine. You will no longer have a “drop.log” file anymore. Instead “drop” events will go into “eve.json”.