Suricata

Can i have any update on this please?

Please be patient, we don't have 24/7 support.

We also need more information about your setup, how do you run Suricata and how is it configured exactly?

The HOME_NET setting is relevant for rules/signatures. You should see at least the flow events in the eve.json output.

Hello Andreas,

Sorry for the inconvenience.

In AWS, i have installed Suricata on Centos and able to capture all events of that server.
Now i want to get other windows server events to suricata server(Centos).

Our plan is get all the server events to one centralized server(Centos) and there will monitor events by using evebox.

So those machines are in your VPC, did you check with tcpdump if the traffic mirroring is working and you can see the traffic on the interface on the CentOS instance?

You should update Suricata at least to 4.1.8 but better to 5.0.x since there have been fixes to VXLAN support.

Suricata version is 4.1.8:
Yes, all the machines are in same VPC. Below are the TCP results of both Centos,window machine and Traffic on Interface.

TCP Dump Results:
---------------------------
Cent OS:

[root@ip-172-xx-xx-10 suricata]# sudo tcpdump i any -c5 -nn host 172.xx.xx.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
02:18:20.649195 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq 3556936392:3556936520, ack 241706xx61, win 323, length xx
02:18:20.649330 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq xx:272, ack 1, win 323, length 144
02:18:20.652822 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq 272:xx4, ack 1, win 323, length 192
02:18:20.652908 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq xx4:640, ack 1, win 323, length 176
02:18:20.652985 IP 172.xx.xx.10.22 > 205.xx.xx.21.58437: Flags [P.], seq 640:816, ack 1, win 323, length 176
5 packets captured
7 packets received by filter
0 packets dropped by kernel
----------------------------------
Windows machine:
[root@ip-172-xx-xx-10 suricata]# sudo tcpdump -i any -c5 -nn host 172.xx.20.143
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter

Traffic on the Interface:(Only centos traffic captured)
Device eth0 [172.xx.xx.10] (1/1): ===================================================
Incoming:
Curr: xx2.00 Bit/s
Avg: 784.00 Bit/s
Min: xx2.00 Bit/s
Max: 2.86 kBit/s
Ttl: 44.07 MByte
Outgoing:
Curr: 9.xx kBit/s
Avg: 9.55 kBit/s
Min: 7.04 kBit/s
Max: 13.97 kBit/s
Ttl: 662.21 kByte
--------------------------------------------------------------------------------------------------------------------

Looks like none of the windows packets captured in centos, do we need to configure anything other things even though all the machines are on same VPC?

Can you try increasing the default packet size -
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1028 ?
Would it make any diff?
Definitely recommend 5.0.+ as Andreas was mentioning.

Hello Peter/Andreas,

Increase the packet size but no luck then i installed suricata-5.0.0 as per documentation steps:https://suricata.readthedocs.io/en/suricata-5.0.0/install.html

After installation(make install), Iam getting the below error:
---------------
[root@ip-172-xx-xx-151 suricata-5.0.0]# suricata V
suricata: error while loading shared libraries: libhtp.so.2: cannot open shared object file: No such file or directory
-------------

It got fixed above error, ignore my previous comment.
I am configuring further, please keep this ticket open.

I have installed suricata-5.0.3 but still i can see only suricata installed flow logs in eve.json file.
No logs captured from other servers in the same VPC, any other configuration needed?
--------------------

TCPDump:

Suricata installed server:
root@ip-xx2-xx-xx-238:/var/log/suricata# sudo tcpdump -i any -c5 -nn host xx2.xx.xx.238
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
06:32:57.245733 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 3751230693:3751230901, ack 400876600, win 1082, length 208
06:32:57.246387 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 208:400, ack 1, win 1082, length 192
06:32:57.246471 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 400:576, ack 1, win 1082, length xx6
06:32:57.246546 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 576:752, ack 1, win 1082, length xx6
06:32:57.246625 IP xx2.xx.xx.238.22 > 205.182.128.21.64647: Flags [P.], seq 752:928, ack 1, win 1082, length xx6
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Other server in same VPC :
root@ip-xx2-xx-xx-238:/var/log/suricata# sudo tcpdump i any -c5 -nn host xx2.xx.4.149
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
--------------------

Device docker0 [xx2.xx.xx.1] (1/3): =============================================================================================================================================================
Incoming:
Curr: 0.00 Bit/s
Avg: 0.00 Bit/s
Min: 0.00 Bit/s
Max: 0.00 Bit/s
Ttl: 0.00 Byte

Outgoing:
Curr: 0.00 Bit/s
Avg: 0.00 Bit/s
Min: 0.00 Bit/s
Max: 0.00 Bit/s
Ttl: 0.00 Byte

Device eth0 [172.xx.xx.238] (1/1): =============================================================================================================================================================
Incoming:

Device eth0 [172.31.17.238] (1/1): =============================================================================================================================================================
Incoming:
Curr: 632.00 Bit/s
Avg: 840.00 Bit/s
Min: 312.00 Bit/s
Max: 2.80 kBit/s
Ttl: 294.72 MByte
Outgoing:
Curr: 9.31 kBit/s
Avg: 9.35 kBit/s
Min: 6.01 kBit/s
Max: 10.53 kBit/s
Ttl: 4.13 MByte

Curr: 632.00 Bit/s
                                                                                                          Avg: 840.00 Bit/s
                                                                                                          Min: 312.00 Bit/s
                                                                                                          Max: 2.80 kBit/s
                                                                                                          Ttl: 294.72 MByte
Outgoing:

Curr: 9.31 kBit/s
                                                                                                          Avg: 9.35 kBit/s
                                                                                                          Min: 6.01 kBit/s
                                                                                                          Max: 10.53 kBit/s
                                                                                                          Ttl: 4.13 MByte

Without knowing how you configured the traffic mirror functionality for that interface?

Is there traffic you expect to see on the interface and did you check if it's seen via tcpdump?

Try to capture that traffic with a pcap and run suricata against the pcap to see if you get logs there. With that example we can narrow it down it if's related to AWS, the capture or the Suricata configuration.