Bug #2452
closedAfter some time log only alerts with linktype=12
Description
Looks like suricata start not working correctly after some time.
I have handmade logparser, that receives eve-log via socket and store logs.
It have check for linktype 1, because I want to parse Ethernet Header and what it contains.
After start suricata and parser works correctly (I used that combination for mounts)
But now, I stuck with problem, that after some time I didn't gettin any alerts to store, because all of they have linktype12.
I.e. I started suricata ~10 hours ago, and for last 3 hours it didn't catch normal alerts, but more than hundred with linktype==12.
In previous hours suricata works correctly and generated many alerts.
Attach start logs with -vvv flag.
Files
Updated by Andreas Herz about 6 years ago
- Assignee set to OISF Dev
- Priority changed from High to Normal
- Target version set to TBD
Can you try the most recent version and also provide more details about your config/setup and how you start suricata (other parameters besides verbose)?
Updated by Anonymous about 6 years ago
Please close, false alert
Something wrong with my part
Updated by Eric Urban almost 6 years ago
I ran into a similar issue myself where a large amount of traffic was showing up in the eve logs with linktype of 12 so wanted to put some notes here since this was closed without comment by the submitter.
The cause in my case is that we were forwarding traffic to a test instance and didn't make sure to forward both directions of traffic. This caused Suricata to only see one side of things so almost all alerts had "packet_info":{"linktype":12}}. In addition to that, there was missing payload info from the alerts and they also were written 10 minutes after occurring. It seems likely the 10 minute delay can be explained by having a flow-timeout setting of 10 minutes.
I should also point out that a linktype of 12 means raw IP [1] [2].
Suricata appears to use a 12 in this case but and has a comment in decode.h:
/* http://www.tcpdump.org/linktypes.html defines DLT_RAW as 101, yet others don't.
* Libpcap on at least OpenBSD returns 101 as datalink type for RAW pcaps though. */
[1] https://github.com/OISF/suricata/blob/d5882372357e957fd38c658f012b5d5943c9923e/src/decode.h#L1049
[2] https://github.com/OISF/suricata/blob/d5882372357e957fd38c658f012b5d5943c9923e/src/decode.h#L1063