Project

General

Profile

Actions

Bug #3617

open

Missing icmp netflow

Added by Zsolt Nagy over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Dear support,

I use suricata version 4.1.3, and found a problem.

Suricata only sends netflow data from these types of icmp traffic:
icmp_type: 0
icmp_type: 8
icmp_type: 13

for example:

{"timestamp":"2020-04-07T14:11:58.002938+0200","flow_id":1641624226562049,"event_type":"netflow","src_ip":"xxx.xxx.xxx.xx","dest_ip":"xx.xxx.xx.xxx","proto":"ICMP","icmp_type":8,"icmp_code":0,"netflow":{"pkts":1,"bytes":64,"start":"2020-04-07T14:06:57.000001+0200","end":"2020-04-07T14:06:57.000001+0200","age":0,"min_ttl":55,"max_ttl":55}}

{"timestamp":"2020-04-07T14:11:58.002958+0200","flow_id":1641624226562049,"event_type":"netflow","src_ip":"xx.xxx.xx.xxx","dest_ip":"xxx.xxx.xxx.xx","proto":"ICMP","icmp_type":0,"icmp_code":0,"netflow":{"pkts":1,"bytes":64,"start":"2020-04-07T14:06:57.000001+0200","end":"2020-04-07T14:06:57.000001+0200","age":0,"min_ttl":64,"max_ttl":64}}

{"timestamp":"2020-04-06T11:17:42.000871+0200","flow_id":693070074413057,"event_type":"netflow","src_ip":"xxx.xx.xxx.xx","dest_ip":"xx.xxx.xx.xxx","proto":"ICMP","icmp_type":13,"icmp_code":0,"netflow":{"pkts":2,"bytes":128,"start":"2020-04-06T11:17:11.000001+0200","end":"2020-04-06T11:17:11.000001+0200","age":0,"min_ttl":27,"max_ttl":41}}

This problem was only for IPv4 traffic.
We did not examine IPv6-icmp netflow data.
There is no problem with tcp and udp netflow data.

What could be the problem?

Regards,
Zsolt Nagy

Actions

Also available in: Atom PDF