Bug #2057
closedeve.json flow logs do not contain in_iface
Description
I am listing this as a bug rather than a feature, due to the importance of being able to source the interface from which traffic is captured.
I have a client with 2 monitoring interface and multiple vlans, many of which must traverse both mirrored (spanned) interfaces to communicate with internal servers, etc. The topology is anything but straight-forward, and the amount of duplicate traffic is nothing short of overwhelming.
I have attempted to discern the sources of traffic and relate it to one of the interfaces in use. However, this is proving to be almost impossible to do without the ability to differentiate between each interface using flow records.
in_iface is logged in event type: dns, tls, http, fileinfo, alert, and ssh, but not always, which is curious by itself.
I have attached samples of each as well as the yaml.
Suricata version 3.1.3.
Files
Updated by Victor Julien almost 8 years ago
This is likely related to stream end and/or flow timeout pseudo packets. For those the iface isn't available. Defrag packets could also be affected maybe.
Updated by Rusty Wilson almost 8 years ago
To clarify, none of the nearly 200 Million flow records that have been logged over the past 7 days from multiple clients include the in_iface field. Therefore I believe in_iface logging is either not working or not turned on for flows.
I have stopped short of digging into the source before posting this issue here. I am hoping that someone familiar with the eve.json output, or the flow reporting module can provide quick feedback, and perhaps ensure that this info is logged in the next stable version.
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by marie g over 7 years ago
- File in_iface_missing.json in_iface_missing.json added
- File in_iface_ok.json in_iface_ok.json added
- File tcpdump_session.txt tcpdump_session.txt added
I've experienced the missing in_iface aswell as vlan in parts of my traffic aswell. This is not related to flow timeout in my case. All log entries with missing field are newly created sessions(used as a heartbeat) from and to different IPs.
I cleaned up one of the sessions observed through dumping traffic and appended this in the 'tcpdump_session.txt'.
The eve-json log entry for this session was missing its "in_iface" aswell as "vlan" fields, despite entries prior to and following was not.
I have attached the eve-json output missing fields in 'in_iface_missing.json', and a couple of "normal" log lines recorded in the same file at the same time in 'in_iface_ok.json'
Im running suricata 3.2.2.
Updated by Victor Julien almost 6 years ago
- Related to Bug #1324: vlan tag in eve.json added
Updated by Victor Julien almost 6 years ago
- Target version changed from TBD to 5.0beta1
Updated by Victor Julien over 5 years ago
- Status changed from New to Closed