Project

General

Profile

Actions

Bug #2057

closed

eve.json flow logs do not contain in_iface

Added by Rusty Wilson about 7 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I am listing this as a bug rather than a feature, due to the importance of being able to source the interface from which traffic is captured.

I have a client with 2 monitoring interface and multiple vlans, many of which must traverse both mirrored (spanned) interfaces to communicate with internal servers, etc. The topology is anything but straight-forward, and the amount of duplicate traffic is nothing short of overwhelming.

I have attempted to discern the sources of traffic and relate it to one of the interfaces in use. However, this is proving to be almost impossible to do without the ability to differentiate between each interface using flow records.

in_iface is logged in event type: dns, tls, http, fileinfo, alert, and ssh, but not always, which is curious by itself.

I have attached samples of each as well as the yaml.

Suricata version 3.1.3.


Files

present_in_iface.json (1.66 KB) present_in_iface.json in_iface logged Rusty Wilson, 03/06/2017 02:57 PM
missing_in_iface.json (1.74 KB) missing_in_iface.json in_iface not logged Rusty Wilson, 03/06/2017 02:57 PM
suricata.yaml (15.9 KB) suricata.yaml suricata configuration Rusty Wilson, 03/06/2017 02:57 PM
in_iface_missing.json (255 Bytes) in_iface_missing.json marie g, 07/14/2017 07:01 AM
in_iface_ok.json (572 Bytes) in_iface_ok.json marie g, 07/14/2017 07:01 AM
tcpdump_session.txt (5.24 KB) tcpdump_session.txt marie g, 07/14/2017 07:01 AM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #1324: vlan tag in eve.jsonClosedCommunity TicketActions
Actions #1

Updated by Victor Julien about 7 years ago

This is likely related to stream end and/or flow timeout pseudo packets. For those the iface isn't available. Defrag packets could also be affected maybe.

Actions #2

Updated by Rusty Wilson about 7 years ago

To clarify, none of the nearly 200 Million flow records that have been logged over the past 7 days from multiple clients include the in_iface field. Therefore I believe in_iface logging is either not working or not turned on for flows.

I have stopped short of digging into the source before posting this issue here. I am hoping that someone familiar with the eve.json output, or the flow reporting module can provide quick feedback, and perhaps ensure that this info is logged in the next stable version.

Actions #3

Updated by Andreas Herz about 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

Updated by marie g almost 7 years ago

I've experienced the missing in_iface aswell as vlan in parts of my traffic aswell. This is not related to flow timeout in my case. All log entries with missing field are newly created sessions(used as a heartbeat) from and to different IPs.

I cleaned up one of the sessions observed through dumping traffic and appended this in the 'tcpdump_session.txt'.

The eve-json log entry for this session was missing its "in_iface" aswell as "vlan" fields, despite entries prior to and following was not.

I have attached the eve-json output missing fields in 'in_iface_missing.json', and a couple of "normal" log lines recorded in the same file at the same time in 'in_iface_ok.json'

Im running suricata 3.2.2.

Actions #5

Updated by Victor Julien over 5 years ago

  • Related to Bug #1324: vlan tag in eve.json added
Actions #6

Updated by Victor Julien over 5 years ago

  • Target version changed from TBD to 5.0beta1
Actions #7

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
Actions #8

Updated by Victor Julien about 5 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF