Why is flow.bytes_toserver negative?

• Suricata version
  7.0.2
• Operating system and/or Linux distribution
  Debian GNU/Linux 12 (bookworm) (Raspberry PI 5)
• How you installed Suricata (from source, packages, something else)
  From source following (mostly) this guide Spot suspicious activity on your local network with Suricata Intrusion Detection System (IDS) on Raspberry Pi – Juliana Fajardini (wordpress.com)

Hey guys,

First of all, I am a newcomer to this topic so please excuse my ignorance
Suricata has recorded a data flow in my home network whose flow.bytes_toserver value is less than 0. I would now like to understand why this value is negative.

{
    "_index": "logstash-2024.02.04",
    "_type": "_doc",
    "_id": "q41Zdo0BYCYxD5dTuvOA",
    "_version": 1,
    "_score": 1,
    "_source": {
        "@timestamp": "2024-02-04T23:00:03.551Z",
        "flow_id": -229598420,
        "in_iface": "eth0",
        "event_type": "flow",
        "src_port": 55352,
        "dest_ip": "10.0.0.12",
        "tcp": {
            "tcp_flags_tc": "00",
            "tcp_flags": "00",
            "tcp_flags_ts": "00"
        },
        "proto": "TCP",
        "flow": {
            "pkts_toserver": 1666231,
            "pkts_toclient": 302859,
            "bytes_toserver": -2110249274,
            "bytes_toclient": 24008694,
            "end": "2024-02-05T00:00:03.066008+0100",
            "reason": "shutdown",
            "state": "new",
            "duration": 777374876,
            "alerted": false,
            "start": "2024-02-04T22:26:28.187398+0100",
            "age": 5615
        },
        "src_ip": "10.0.0.20",
        "dest_port": 3260
    }
}

In this case, the src_ip is my Suricata Raspberry PI host and the dest_ip is my internal NAS. I have created a virtual iSCSI volume on my NAS for logging and storage purposes, mounted it on my Raspberry PI and configured Suricata to store the log files in the iSCSI volume. Should I take the negative flow.bytes_toserver value to mean that an upload from the Raspberry PI to the NAS has taken place, or are there other reasons for the value?

Thanks

Hello Luca,

I think, the value is corresponding to an overflow.
If i’m right, the values are encoding as signed integer. The value is then between -2147483648 to 2147483647.
When the value reach the maximum value, it will make a loop and will become -2147483648 instead of 2147483648.
The correct value here should be -2110249274 + 2147483648 * 2 = 2184718022 bytes in your case.

It can happened as suricata is a 32bit tool for the biggest flow.

Hope it answer your question,
Regards

Hey Juquod,

That actually makes sense, I’m going to write a transformer that checks for negative values and calculates them correctly using your formula.

Thanks,
Luca