In UDP traffic where both the source and destination ports were 0, only an alert log was created, but no flow log was generated. Is this a feature, a bug, or a configuration in YAML?
Thanks.
Hello,
could you share more info on your setup? It could be a configuration issue.
The section for outputs in the YAML file has to have flow listed for it to be enabled, for instance:
outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis¬
filename: eve.json
types:
- alert
- http
- flow
Hi,
the flow log is enabled and for other alerts, the flow is created.
# bi-directional flows - flow # uni-directional flows #- netflow
I saw this in another case where it was ICMP traffic with icmp_code=3 (port unreachable) + icmp_type=3 (destination unreachable) or icmp_type=11 (time exceed) + icmp_code=0 (net unreachable). In that case, I thought it was a feature because the flow log didn’t make much sense.
This case with UDP port 0 had in common that the flow log was not created and the alert log did not contain flow_id.
Do you have some examples for your scenario?
Suricata only records alerts and flow logs. In this case, an alert was generated for traffic marked as proto=UDP, src_port=0, dest_port=0. I wanted to check if any bytes were transferred, but no flow log was created for this alert. Interestingly, the alert also did not contain the flow_id attribute.
{“timestamp”:“2025-02-19T00:11:40.221112+0100”,“in_iface”:“0000:51:00.1”,“event_type”:“alert”,“src_ip”:“192.168.0.5”,“src_port”:0,“dest_ip”:“192.168.0.15”,“dest_port”:0,“proto”:“UDP”,“pkt_src”:“wire/pcap”,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:1088544019,“rev”:1,“signature”:“Suricata Alert”,“category”:“Potentially Bad Traffic”,“severity”:1},“host”:“suricata”}
Can you share your full suricata.yaml, stats.log, suricata.log and also suricata --build-info?
Ideally also a pcap with such a traffic as example.
suricata.yaml (81.3 KB)
stats.eve.json (8.8 KB)
build-info.log (4.3 KB)
I’m sorry, but this is minimalist logging and pcap is not possible.
I would first upgrade to the latest 7.0.x release, which is 7.0.8 as of today.
Also attach the exact run command and the suricata.log is still missing to see any potential issues.
Also in the stats.log there are several rx_errors so could be related, but doesn’t have to.
Otherwise try to see if you can forge a test pcap to reproduce it.
stats.log (772.6 KB)
suricata -c /etc/suricata/suricata.yaml -vv --dpdk --pidfile /var/run/suricata/suricata.pid
I’ll try the upgrade. It’s not a frequent event, so I’ll see afterwards and let you know if necessary. Thanks.
So you use DPDK, especially for that you should upgrade to 7.0.10 first since there are a lot of fixes.
You could also run with af-packet and compare if it is the same.