Support #3197
closedsuricata dropping traffic on alert
Description
I probably have something misconfigured but suricata seems to drop traffic on alert on inline.
fast.log
09/26/2019-20:54:36.968372 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59446 -> 151.101.148.204:80
09/26/2019-20:54:36.990844 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59448 -> 151.101.148.204:80
09/26/2019-20:55:07.022267 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59450 -> 151.101.148.204:80
09/26/2019-20:55:07.076369 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59452 -> 151.101.148.204:80
09/26/2019-20:55:37.076534 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59454 -> 151.101.148.204:80
09/26/2019-20:56:07.114465 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59458 -> 151.101.148.204:80
drop.log
09/26/2019-20:54:36.968372: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=254 TOS=0x00 TTL=64 ID=633 PROTO=TCP SPT=59446 DPT=80 SEQ=851603426 ACK=2847554061 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:54:36.990844: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=260 TOS=0x00 TTL=64 ID=25877 PROTO=TCP SPT=59448 DPT=80 SEQ=1538132105 ACK=905718895 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:55:07.022267: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=254 TOS=0x00 TTL=64 ID=58507 PROTO=TCP SPT=59450 DPT=80 SEQ=2942922343 ACK=886521798 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:55:07.076369: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=260 TOS=0x00 TTL=64 ID=9673 PROTO=TCP SPT=59452 DPT=80 SEQ=3067195188 ACK=693107189 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:55:37.076534: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=262 TOS=0x00 TTL=64 ID=26244 PROTO=TCP SPT=59454 DPT=80 SEQ=4164996812 ACK=343723356 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:56:07.114465: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=262 TOS=0x00 TTL=64 ID=58023 PROTO=TCP SPT=59458 DPT=80 SEQ=661661500 ACK=699528539 WINDOW=229 ACK PSH RES=0x00 URGP=0
Files
Updated by Daniel Vein about 5 years ago
user@debian:/var/run/suricata$ sudo suricata c /etc/suricata/suricata.yaml -q 0 -q 1 --user suri --group suri -vvv 18:27:32 - <Notice> - This is Suricata version 4.1.2 RELEASE
28/9/2019 -
28/9/2019 -- 18:27:32 - <Info> - CPUs/cores online: 8
28/9/2019 -- 18:27:32 - <Config> - luajit states preallocated: 128
28/9/2019 -- 18:27:32 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33812 and 'request-body-inspect-window' set to 4206 after randomization.
28/9/2019 -- 18:27:32 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 39426 and 'response-body-inspect-window' set to 16841 after randomization.
28/9/2019 -- 18:27:32 - <Config> - SMB stream depth: 0
28/9/2019 -- 18:27:32 - <Config> - Protocol detection and parser disabled for modbus protocol.
28/9/2019 -- 18:27:32 - <Config> - Protocol detection and parser disabled for enip protocol.
28/9/2019 -- 18:27:32 - <Config> - Protocol detection and parser disabled for DNP3.
28/9/2019 -- 18:27:32 - <Info> - NFQ running in standard ACCEPT/DROP mode
28/9/2019 -- 18:27:32 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/9/2019 -- 18:27:32 - <Config> - preallocated 1000 hosts of size 136
28/9/2019 -- 18:27:32 - <Config> - host memory usage: 398144 bytes, maximum: 33554432
28/9/2019 -- 18:27:32 - <Config> - Core dump size set to unlimited.
28/9/2019 -- 18:27:32 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/9/2019 -- 18:27:32 - <Config> - preallocated 65535 defrag trackers of size 160
28/9/2019 -- 18:27:32 - <Config> - defrag memory usage: 14155616 bytes, maximum: 33554432
28/9/2019 -- 18:27:32 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/9/2019 -- 18:27:32 - <Config> - stream "memcap": 67108864
28/9/2019 -- 18:27:32 - <Config> - stream "midstream" session pickups: disabled
28/9/2019 -- 18:27:32 - <Config> - stream "async-oneside": disabled
28/9/2019 -- 18:27:32 - <Config> - stream "checksum-validation": disabled
28/9/2019 -- 18:27:32 - <Config> - stream."inline": enabled
28/9/2019 -- 18:27:32 - <Config> - stream "bypass": disabled
28/9/2019 -- 18:27:32 - <Config> - stream "max-synack-queued": 5
28/9/2019 -- 18:27:32 - <Config> - stream.reassembly "memcap": 268435456
28/9/2019 -- 18:27:32 - <Config> - stream.reassembly "depth": 1048576
28/9/2019 -- 18:27:32 - <Config> - stream.reassembly "toserver-chunk-size": 2434
28/9/2019 -- 18:27:32 - <Config> - stream.reassembly "toclient-chunk-size": 2559
28/9/2019 -- 18:27:32 - <Config> - stream.reassembly.raw: enabled
28/9/2019 -- 18:27:32 - <Config> - stream.reassembly "segment-prealloc": 2048
28/9/2019 -- 18:27:32 - <Info> - dropped the caps for main thread
28/9/2019 -- 18:27:32 - <Info> - fast output device (regular) initialized: fast.log
28/9/2019 -- 18:27:32 - <Info> - eve-log output device (regular) initialized: eve.json
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'alert'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'http'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'dns'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'tls'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'files'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'smtp'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'nfs'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'smb'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'tftp'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'ikev2'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'krb5'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'dhcp'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'ssh'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'stats'
28/9/2019 -- 18:27:32 - <Config> - enabling 'eve-log' module 'flow'
28/9/2019 -- 18:27:32 - <Info> - http-log output device (regular) initialized: http.log
28/9/2019 -- 18:27:32 - <Info> - stats output device (regular) initialized: stats.log
28/9/2019 -- 18:27:32 - <Info> - drop output device (regular) initialized: drop.log
28/9/2019 -- 18:27:32 - <Info> - file-log output device (regular) initialized: files-json.log
28/9/2019 -- 18:27:32 - <Config> - Delayed detect disabled
28/9/2019 -- 18:27:32 - <Config> - pattern matchers: MPM: hs, SPM: hs
28/9/2019 -- 18:27:32 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/9/2019 -- 18:27:32 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/9/2019 -- 18:27:32 - <Config> - prefilter engines: MPM
28/9/2019 -- 18:27:32 - <Config> - IP reputation disabled
28/9/2019 -- 18:27:32 - <Config> - Loading rule file: /var/lib/suricata/rules/suricata.rules
28/9/2019 -- 18:27:37 - <Info> - 1 rule files processed. 23665 rules successfully loaded, 0 rules failed
28/9/2019 -- 18:27:37 - <Info> - Threshold config parsed: 0 rule(s) found
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for tcp-packet
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for tcp-stream
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for udp-packet
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for other-ip
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_uri
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_request_line
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_client_body
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_response_line
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_header
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_header
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_header_names
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_header_names
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_accept
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_accept_enc
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_accept_lang
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_referer
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_connection
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_content_len
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_content_len
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_content_type
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_content_type
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_protocol
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_protocol
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_start
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_start
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_raw_header
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_raw_header
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_method
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_cookie
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_cookie
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_raw_uri
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_user_agent
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_host
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_raw_host
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_stat_msg
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for http_stat_code
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for dns_query
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for tls_sni
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for tls_cert_fingerprint
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for ja3_hash
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for ja3_string
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for dce_stub_data
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for dce_stub_data
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for smb_named_pipe
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for smb_share
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for ssh_protocol
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for ssh_protocol
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for ssh_software
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for ssh_software
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for file_data
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for file_data
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for file_data
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for file_data
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for krb5_cname
28/9/2019 -- 18:27:38 - <Perf> - using shared mpm ctx' for krb5_sname
28/9/2019 -- 18:27:38 - <Info> - 23669 signatures processed. 1243 are IP-only rules, 5115 are inspecting packet payload, 19452 inspect application layer, 0 are decoder event only
28/9/2019 -- 18:27:38 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/9/2019 -- 18:27:38 - <Perf> - TCP toserver: 76 port groups, 56 unique SGH's, 20 copies
28/9/2019 -- 18:27:38 - <Perf> - TCP toclient: 76 port groups, 45 unique SGH's, 31 copies
28/9/2019 -- 18:27:38 - <Perf> - UDP toserver: 76 port groups, 48 unique SGH's, 28 copies
28/9/2019 -- 18:27:38 - <Perf> - UDP toclient: 49 port groups, 27 unique SGH's, 22 copies
28/9/2019 -- 18:27:38 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
28/9/2019 -- 18:27:38 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/9/2019 -- 18:27:44 - <Perf> - Unique rule groups: 179
28/9/2019 -- 18:27:44 - <Perf> - Builtin MPM "toserver TCP packet": 37
28/9/2019 -- 18:27:44 - <Perf> - Builtin MPM "toclient TCP packet": 30
28/9/2019 -- 18:27:44 - <Perf> - Builtin MPM "toserver TCP stream": 45
28/9/2019 -- 18:27:44 - <Perf> - Builtin MPM "toclient TCP stream": 36
28/9/2019 -- 18:27:44 - <Perf> - Builtin MPM "toserver UDP packet": 48
28/9/2019 -- 18:27:44 - <Perf> - Builtin MPM "toclient UDP packet": 26
28/9/2019 -- 18:27:44 - <Perf> - Builtin MPM "other IP packet": 2
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_uri": 6
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_client_body": 5
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_header": 8
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient http_header": 3
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_header_names": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_start": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_method": 3
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_user_agent": 5
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver http_host": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver tls_sni": 2
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 2
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver ja3_hash": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toserver file_data": 1
28/9/2019 -- 18:27:44 - <Perf> - AppLayer MPM "toclient file_data": 6
28/9/2019 -- 18:27:52 - <Config> - AutoFP mode using "Hash" flow load balancer
28/9/2019 -- 18:27:52 - <Info> - binding this thread 0 to queue '0'
28/9/2019 -- 18:27:52 - <Info> - setting queue length to 4096
28/9/2019 -- 18:27:52 - <Info> - setting nfnl bufsize to 6144000
28/9/2019 -- 18:27:52 - <Info> - binding this thread 1 to queue '1'
28/9/2019 -- 18:27:52 - <Info> - setting queue length to 4096
28/9/2019 -- 18:27:52 - <Info> - setting nfnl bufsize to 6144000
28/9/2019 -- 18:27:52 - <Config> - using 1 flow manager threads
28/9/2019 -- 18:27:52 - <Config> - using 1 flow recycler threads
28/9/2019 -- 18:27:52 - <Info> - Using unix socket file '/var/run/suricata/custom.socket'
28/9/2019 -- 18:27:52 - <Notice> - all 12 packet processing threads, 4 management threads initialized, engine started.
Updated by Andreas Herz about 5 years ago
- Assignee set to Community Ticket
- Target version set to Support
How do you run suricata and how does your config look like?
Also did you change the "alert" keyword to "drop" for those rules?
Updated by Daniel Vein about 5 years ago
- File suricata.yaml.txt suricata.yaml.txt added
I used drop.conf to change rules and tested that drop rules do drop and show [drop] on fast.log but alert rules show [**] in fast.log but show drops in drop.log. I did not change alert to drop with those rules.
Attached is my suricata.yaml. The only things I changed were the rules directory to work with suricata-update instead of oinkmaster, where the pid file is located, and where the unix socket is located so I could drop privilages. FYI I tested without dropping privileges and still getting packets dropped when they should be alerting
My systemd file:
[Unit]
Description=Suricata IDS/IDP daemon
After=network.target network-online.target
Requires=network-online.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://suricata-ids.org/docs/
[Service]
Type=forking
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libtcmalloc_minimal.so.4
#PIDFile=/var/run/suricata.pid
ExecStart=/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 --user suri --group suri -vvv
ExecReload=/usr/bin/suricatasc /var/run/suricata/custom.socket -c reload-rules ; /bin/kill -HUP $MAINPID
ExecStop=/usr/bin/suricatasc /var/run/suricata/custom.socket -c shutdown
ExecStopPost=/usr/bin/rm /var/run/suricata/suricata.pid
Restart=on-failure
ProtectSystem=full
ProtectHome=true
[Install]
WantedBy=multi-user.target
Updated by Daniel Vein about 5 years ago
I was able to figure it out I had rule set to drop but it never triggered an alert.
alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Debian APT-GET"; content:"debian.org"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/debian-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000000;)
In the rule it says "noalert" does that mean it will not show alert? Or is because this rule and ET rule 2013504 overlap, and that only triggered the ET rule?
Thanks in advanced and you can close this ticket!
Updated by Andreas Herz about 5 years ago
- Status changed from New to Closed
Yes that's expected behaviour. The 'noalert' means it won't show an alert and it also won't drop.