Project

General

Profile

Actions

Support #3811

closed

eni monitoring

Added by Punith Raya over 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Beginner

Description

I have configured my suricata.yaml file as below :
-----------------------
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[13.58.207.139/32]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
-----------------------

My interface (eni-xxxx) private IP is -172.31.xx.xx but still i couldn't capture any events in eve.json file, i could see only suricata installed server traffic in eve.json file.

Do i need to configure anything else in order to get (eni-xxxx) private IP traffic?

Actions #1

Updated by Punith Raya over 3 years ago

Can i have any update on this please?

Actions #2

Updated by Andreas Herz over 3 years ago

Please be patient, we don't have 24/7 support.

We also need more information about your setup, how do you run Suricata and how is it configured exactly?

The HOME_NET setting is relevant for rules/signatures. You should see at least the flow events in the eve.json output.

Actions #3

Updated by Punith Raya over 3 years ago

Hello Andreas,

Sorry for the inconvenience.

In AWS, i have installed Suricata on Centos and able to capture all events of that server.
Now i want to get other windows server events to suricata server(Centos).

Our plan is get all the server events to one centralized server(Centos) and there will monitor events by using evebox.

Actions #4

Updated by Andreas Herz over 3 years ago

So those machines are in your VPC, did you check with tcpdump if the traffic mirroring is working and you can see the traffic on the interface on the CentOS instance?

You should update Suricata at least to 4.1.8 but better to 5.0.x since there have been fixes to VXLAN support.

Actions #5

Updated by Punith Raya over 3 years ago

Suricata version is 4.1.8:
Yes, all the machines are in same VPC. Below are the TCP results of both Centos,window machine and Traffic on Interface.

TCP Dump Results:
---------------------------
Cent OS:

[root@ip-172-xx-xx-10 suricata]# sudo tcpdump i any -c5 -nn host 172.xx.xx.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
02:18:20.649195 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq 3556936392:3556936520, ack 241706xx61, win 323, length xx
02:18:20.649330 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq xx:272, ack 1, win 323, length 144
02:18:20.652822 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq 272:xx4, ack 1, win 323, length 192
02:18:20.652908 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq xx4:640, ack 1, win 323, length 176
02:18:20.652985 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq 640:816, ack 1, win 323, length 176
5 packets captured
7 packets received by filter
0 packets dropped by kernel
----------------------------------

Windows machine:
[root@ip-172-xx-xx-10 suricata]# sudo tcpdump -i any -c5 -nn host 172.xx.20.143
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter


Traffic on the Interface:(Only centos traffic captured)
Device eth0 [172.xx.xx.10] (1/1): ===================================================
Incoming:
Curr: xx2.00 Bit/s
Avg: 784.00 Bit/s
Min: xx2.00 Bit/s
Max: 2.86 kBit/s
Ttl: 44.07 MByte
Outgoing:
Curr: 9.xx kBit/s
Avg: 9.55 kBit/s
Min: 7.04 kBit/s
Max: 13.97 kBit/s
Ttl: 662.21 kByte
--------------------------------------------------------------------------------------------------------------------

Looks like none of the windows packets captured in centos, do we need to configure anything other things even though all the machines are on same VPC?

Actions #6

Updated by Peter Manev over 3 years ago

Can you try increasing the default packet size -
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1028 ?
Would it make any diff?
Definitely recommend 5.0.+ as Andreas was mentioning.

Actions #7

Updated by Punith Raya over 3 years ago

Hello Peter/Andreas,

Increase the packet size but no luck then i installed suricata-5.0.0 as per documentation steps:https://suricata.readthedocs.io/en/suricata-5.0.0/install.html

After installation(make install), Iam getting the below error:
---------------
[root@ip-172-xx-xx-151 suricata-5.0.0]# suricata V
suricata: error while loading shared libraries: libhtp.so.2: cannot open shared object file: No such file or directory
-------------

Actions #8

Updated by Punith Raya over 3 years ago

It got fixed above error, ignore my previous comment.
I am configuring further, please keep this ticket open.

Actions #9

Updated by Punith Raya over 3 years ago

I have installed suricata-5.0.3 but still i can see only suricata installed flow logs in eve.json file.
No logs captured from other servers in the same VPC, any other configuration needed?
--------------------

TCPDump:

Suricata installed server:
root@ip-xx2-xx-xx-238:/var/log/suricata# sudo tcpdump -i any -c5 -nn host xx2.xx.xx.238
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
06:32:57.245733 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 3751230693:3751230901, ack 400876600, win 1082, length 208
06:32:57.246387 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 208:400, ack 1, win 1082, length 192
06:32:57.246471 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 400:576, ack 1, win 1082, length xx6
06:32:57.246546 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 576:752, ack 1, win 1082, length xx6
06:32:57.246625 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 752:928, ack 1, win 1082, length xx6
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Other server in same VPC :
root@ip-xx2-xx-xx-238:/var/log/suricata# sudo tcpdump i any -c5 -nn host xx2.xx.4.149
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
--------------------

Device docker0 [xx2.xx.xx.1] (1/3): =============================================================================================================================================================
Incoming:
Curr: 0.00 Bit/s
Avg: 0.00 Bit/s
Min: 0.00 Bit/s
Max: 0.00 Bit/s
Ttl: 0.00 Byte

Outgoing:
Curr: 0.00 Bit/s
Avg: 0.00 Bit/s
Min: 0.00 Bit/s
Max: 0.00 Bit/s
Ttl: 0.00 Byte


Actions #10

Updated by Punith Raya over 3 years ago

Device eth0 [172.xx.xx.238] (1/1): =============================================================================================================================================================
Incoming:

Device eth0 [172.31.17.238] (1/1): =============================================================================================================================================================
Incoming:
Curr: 632.00 Bit/s
Avg: 840.00 Bit/s
Min: 312.00 Bit/s
Max: 2.80 kBit/s
Ttl: 294.72 MByte
Outgoing:
Curr: 9.31 kBit/s
Avg: 9.35 kBit/s
Min: 6.01 kBit/s
Max: 10.53 kBit/s
Ttl: 4.13 MByte

Curr: 632.00 Bit/s
Avg: 840.00 Bit/s
Min: 312.00 Bit/s
Max: 2.80 kBit/s
Ttl: 294.72 MByte
Outgoing:
Curr: 9.31 kBit/s
Avg: 9.35 kBit/s
Min: 6.01 kBit/s
Max: 10.53 kBit/s
Ttl: 4.13 MByte
Actions #11

Updated by Andreas Herz over 3 years ago

Without knowing how you configured the traffic mirror functionality for that interface?

Is there traffic you expect to see on the interface and did you check if it's seen via tcpdump?

Try to capture that traffic with a pcap and run suricata against the pcap to see if you get logs there. With that example we can narrow it down it if's related to AWS, the capture or the Suricata configuration.

Actions #12

Updated by Andreas Herz about 2 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF