- Suricata version
7.0.2- Operating system and/or Linux distribution
Debian GNU/Linux 12 (bookworm) (Raspberry PI 5)- How you installed Suricata (from source, packages, something else)
From source following (mostly) this guide Spot suspicious activity on your local network with Suricata Intrusion Detection System (IDS) on Raspberry Pi ā Juliana Fajardini (wordpress.com)
Hey guys,
First of all, I am a newcomer to this topic so please excuse my ignorance
Suricata has recorded a data flow in my home network whose flow.bytes_toserver value is less than 0. I would now like to understand why this value is negative.
{
"_index": "logstash-2024.02.04",
"_type": "_doc",
"_id": "q41Zdo0BYCYxD5dTuvOA",
"_version": 1,
"_score": 1,
"_source": {
"@timestamp": "2024-02-04T23:00:03.551Z",
"flow_id": -229598420,
"in_iface": "eth0",
"event_type": "flow",
"src_port": 55352,
"dest_ip": "10.0.0.12",
"tcp": {
"tcp_flags_tc": "00",
"tcp_flags": "00",
"tcp_flags_ts": "00"
},
"proto": "TCP",
"flow": {
"pkts_toserver": 1666231,
"pkts_toclient": 302859,
"bytes_toserver": -2110249274,
"bytes_toclient": 24008694,
"end": "2024-02-05T00:00:03.066008+0100",
"reason": "shutdown",
"state": "new",
"duration": 777374876,
"alerted": false,
"start": "2024-02-04T22:26:28.187398+0100",
"age": 5615
},
"src_ip": "10.0.0.20",
"dest_port": 3260
}
}
In this case, the src_ip is my Suricata Raspberry PI host and the dest_ip is my internal NAS. I have created a virtual iSCSI volume on my NAS for logging and storage purposes, mounted it on my Raspberry PI and configured Suricata to store the log files in the iSCSI volume. Should I take the negative flow.bytes_toserver value to mean that an upload from the Raspberry PI to the NAS has taken place, or are there other reasons for the value?
Thanks