Hi all, I’m having trouble collecting logs by Suricata. I checked if the SPAN port copies the network traffic and it turned out that it was fine. On the interface with the system’s Internet exit, Suricata sees traffic. I also tested testmyids.com and the response was good. What could be the reason why, after setting up the interface with the SPAN Port, in eve.json nothing appears at all.
Can you post your Suricata configuration file?
What rule(s) files are you using? No need to post them … would like to know the origin (ET/proofpoint?) and how many.
What version of Suricata are you using?
Was a stats.log
file generated (in the configured log directory)? If so, does it show non-zero values for packets/bytes?
suricata.yaml (39.8 KB)
Rules are from proofpoint, there are about 30 files. Version of suricata : 1.1
Yes, the file is in the correct directory and is generated. Below I am pasting a sample log from it
Date: 12/21/2021 – 21:00:09 (uptime: 0d, 09h 33m 05s)
Counter | TM Name | Value
capture.kernel_packets | Total | 108305
decoder.pkts | Total | 108305
decoder.bytes | Total | 11033797
decoder.ipv4 | Total | 1257
decoder.ipv6 | Total | 24882
decoder.ethernet | Total | 108305
decoder.udp | Total | 1368
decoder.icmpv6 | Total | 24771
decoder.avg_pkt_size | Total | 101
decoder.max_pkt_size | Total | 452
flow.udp | Total | 647
flow.icmpv6 | Total | 1
app_layer.flow.failed_udp | Total | 647
flow_mgr.new_pruned | Total | 646
flow.spare | Total | 10000
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65536
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 98304
flow.memuse | Total | 7474960
Have you confirmed that the span port is mirroring both sides of the connection?
Might be good to use tcpdump to get a simple capture of an HTTP request to confirm that its seeing everything.
I didn’t check it. Tomorrow morning I will have access to the hardware and I will check the tcpdump