Project

General

Profile

Actions

Bug #3617

open

Missing icmp netflow

Added by Zsolt Nagy almost 4 years ago. Updated almost 4 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Dear support,

I use suricata version 4.1.3, and found a problem.

Suricata only sends netflow data from these types of icmp traffic:
icmp_type: 0
icmp_type: 8
icmp_type: 13

for example:

{"timestamp":"2020-04-07T14:11:58.002938+0200","flow_id":1641624226562049,"event_type":"netflow","src_ip":"xxx.xxx.xxx.xx","dest_ip":"xx.xxx.xx.xxx","proto":"ICMP","icmp_type":8,"icmp_code":0,"netflow":{"pkts":1,"bytes":64,"start":"2020-04-07T14:06:57.000001+0200","end":"2020-04-07T14:06:57.000001+0200","age":0,"min_ttl":55,"max_ttl":55}}

{"timestamp":"2020-04-07T14:11:58.002958+0200","flow_id":1641624226562049,"event_type":"netflow","src_ip":"xx.xxx.xx.xxx","dest_ip":"xxx.xxx.xxx.xx","proto":"ICMP","icmp_type":0,"icmp_code":0,"netflow":{"pkts":1,"bytes":64,"start":"2020-04-07T14:06:57.000001+0200","end":"2020-04-07T14:06:57.000001+0200","age":0,"min_ttl":64,"max_ttl":64}}

{"timestamp":"2020-04-06T11:17:42.000871+0200","flow_id":693070074413057,"event_type":"netflow","src_ip":"xxx.xx.xxx.xx","dest_ip":"xx.xxx.xx.xxx","proto":"ICMP","icmp_type":13,"icmp_code":0,"netflow":{"pkts":2,"bytes":128,"start":"2020-04-06T11:17:11.000001+0200","end":"2020-04-06T11:17:11.000001+0200","age":0,"min_ttl":27,"max_ttl":41}}

This problem was only for IPv4 traffic.
We did not examine IPv6-icmp netflow data.
There is no problem with tcp and udp netflow data.

What could be the problem?

Regards,
Zsolt Nagy

Actions #1

Updated by Andreas Herz almost 4 years ago

Can you try it with Suricata 5.0.x as well?
Also a pcap would be helpful so we can debug it on our side.

Actions #2

Updated by Zsolt Nagy almost 4 years ago

Andreas Herz wrote in #note-1:

Can you try it with Suricata 5.0.x as well?
Also a pcap would be helpful so we can debug it on our side.

Dear Andreas,

I also tried suricata with version 5.0.2 but the same problem.
During the tests, we generated icmp_type 0, 3, 8, 11, and 13 traffic.

But suricata only sends netflow data from these types of icmp traffic:
icmp_type: 0
icmp_type: 8
icmp_type: 13

I would like an email address where I can send the pcap.

Actions #3

Updated by Andreas Herz almost 4 years ago

or upload it here if possible

Actions #4

Updated by Zsolt Nagy almost 4 years ago

Andreas Herz wrote in #note-3:

or upload it here if possible

Dear Andreas,

I emailed the pcap file.

Regards,
Zsolt Nagy

Actions #5

Updated by Andreas Herz almost 4 years ago

  • Tracker changed from Support to Bug
  • Assignee set to OISF Dev
  • Target version set to TBD
  • Affected Versions 5.0.3 added
  • Affected Versions deleted (4.1.5)

I can confirm that with 5.0.3 and your pcap. Although I don't even see type 13 in netflow, only 8 and 0. It's even less on flow where it's only type 8.
I don't find type 13 in the pcap either.

If you run a rule with keyword itype:3 or itype:11 the alerts trigger, so the pcap is fine and parsed correct.

So the question is if it's intended to not output those types or a bug. We will look into this.

Actions

Also available in: Atom PDF