Project

General

Profile

Actions

Bug #2452

closed

After some time log only alerts with linktype=12

Added by Anonymous about 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Looks like suricata start not working correctly after some time.
I have handmade logparser, that receives eve-log via socket and store logs.
It have check for linktype 1, because I want to parse Ethernet Header and what it contains.

After start suricata and parser works correctly (I used that combination for mounts)
But now, I stuck with problem, that after some time I didn't gettin any alerts to store, because all of they have linktype12.
I.e. I started suricata ~10 hours ago, and for last 3 hours it didn't catch normal alerts, but more than hundred with linktype==12.
In previous hours suricata works correctly and generated many alerts.
Attach start logs with -vvv flag.


Files

MWC4h9GA.txt (21.2 KB) MWC4h9GA.txt start logs Anonymous, 02/28/2018 03:23 AM
Actions #1

Updated by Andreas Herz about 6 years ago

  • Assignee set to OISF Dev
  • Priority changed from High to Normal
  • Target version set to TBD

Can you try the most recent version and also provide more details about your config/setup and how you start suricata (other parameters besides verbose)?

Actions #2

Updated by Anonymous about 6 years ago

Please close, false alert
Something wrong with my part

Actions #3

Updated by Andreas Herz about 6 years ago

  • Status changed from New to Closed
Actions #4

Updated by Eric Urban almost 6 years ago

I ran into a similar issue myself where a large amount of traffic was showing up in the eve logs with linktype of 12 so wanted to put some notes here since this was closed without comment by the submitter.

The cause in my case is that we were forwarding traffic to a test instance and didn't make sure to forward both directions of traffic. This caused Suricata to only see one side of things so almost all alerts had "packet_info":{"linktype":12}}. In addition to that, there was missing payload info from the alerts and they also were written 10 minutes after occurring. It seems likely the 10 minute delay can be explained by having a flow-timeout setting of 10 minutes.

I should also point out that a linktype of 12 means raw IP [1] [2].

Suricata appears to use a 12 in this case but and has a comment in decode.h:
/* http://www.tcpdump.org/linktypes.html defines DLT_RAW as 101, yet others don't. * Libpcap on at least OpenBSD returns 101 as datalink type for RAW pcaps though. */

[1] https://github.com/OISF/suricata/blob/d5882372357e957fd38c658f012b5d5943c9923e/src/decode.h#L1049
[2] https://github.com/OISF/suricata/blob/d5882372357e957fd38c658f012b5d5943c9923e/src/decode.h#L1063

Actions #5

Updated by Victor Julien about 5 years ago

  • Target version deleted (TBD)
Actions

Also available in: Atom PDF