<div dir="ltr">Hi All,<div><br></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Hi, </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">I am tring to enable the netflow module for</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> logging one way flow in suricata.</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> </span></div><div><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">I have done this config: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">- eve-log: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> enabled: yes </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> type: file #file|syslog|unix_dgram|unix_</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">stream </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> filename: eve.json </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> # the following are valid when type: syslog above </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #identity: "suricata" </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #facility: local5 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #level: Info ## possible levels: Emergency, Alert, Critical, </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> ## Error, Warning, Notice, Info, Debug </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> types: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> - alert </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- http: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> extended: yes # enable this for extended logging information </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> # custom allows additional http fields to be included in eve-log </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> # the example below adds three additional fields when uncommented </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #custom: [Accept-Encoding, Accept-Language, Authorization] </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- dns </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- tls: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> extended: yes # enable this for extended logging information </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- files: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> force-magic: yes # force logging magic on all logged files </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> force-md5: yes # force logging of md5 checksums </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- drop </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- ssh </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- smtp </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> #- flow </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> - netflow </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><div><br></div><div><br></div><div>As soon as I launch my Suricata</div><div><br></div><div>sudo suricata -c /etc/suricata/suricata.yaml -k none -i eth0</div><div><br></div><div>the eve.json file is generated. <span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">But it seems that netflow are not working correctly. </span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> </span></div><div><br></div><div><br></div><div>For instance, 130.216.30.1 sent a UDP packet to 115.212.89.117, the src port is 53992 and the dest port is 1526, less than 1s, the reply come back from 115.212.89.117. But Suricata has recognized this as a netflow ( one way flow). </div><div><br></div><div><div>{"timestamp":"2015-10-07T10:13:38.000274+1300","flow_id":35919104,"event_type":"netflow","src_ip":"130.216.30.131","src_port":53992,"dest_ip":"115.212.89.117","dest_port":1526,"proto":"UDP","netflow":{"pkts":1,"bytes":71,"start":"2015-10-07T10:13:07.795117+1300","end":"2015-10-07T10:13:07.795117+1300","age":0}}</div><div>{"timestamp":"2015-10-07T10:13:38.000540+1300","flow_id":35919104,"event_type":"netflow","src_ip":"115.212.89.117","src_port":1526,"dest_ip":"130.216.30.131","dest_port":53992,"proto":"UDP","netflow":{"pkts":0,"bytes":0,"start":"2015-10-07T10:13:07.795117+1300","end":"2015-10-07T10:13:07.795117+1300","age":0}}</div><div>{"timestamp":"2015-10-07T10:13:38.000621+1300","flow_id":35896304,"event_type":"netflow","src_ip":"202.36.245.26","src_port":18169,"dest_ip":"104.44.96.233","dest_port":50005,"proto":"UDP","netflow":{"pkts":1,"bytes":478,"start":"2015-10-07T10:13:07.794299+1300","end":"2015-10-07T10:13:07.794299+1300","age":0}}</div><div>{"timestamp":"2015-10-07T10:13:38.000661+1300","flow_id":35896304,"event_type":"netflow","src_ip":"104.44.96.233","src_port":50005,"dest_ip":"202.36.245.26","dest_port":18169,"proto":"UDP","netflow":{"pkts":0,"bytes":0,"start":"2015-10-07T10:13:07.794299+1300","end":"2015-10-07T10:13:07.794299+1300","age":0}}</div><div>{"timestamp":"2015-10-07T10:13:38.000697+1300","flow_id":35864080,"event_type":"netflow","src_ip":"1.9.107.0","src_port":11965,"dest_ip":"130.216.30.132","dest_port":61491,"proto":"UDP","netflow":{"pkts":1,"bytes":89,"start":"2015-10-07T10:13:07.793183+1300","end":"2015-10-07T10:13:07.793183+1300","age":0}}</div><div>{"timestamp":"2015-10-07T10:13:38.000733+1300","flow_id":35864080,"event_type":"netflow","src_ip":"130.216.30.132","src_port":61491,"dest_ip":"1.9.107.0","dest_port":11965,"proto":"UDP","netflow":{"pkts":0,"bytes":0,"start":"2015-10-07T10:13:07.793183+1300","end":"2015-10-07T10:13:07.793183+1300","age":0}}</div></div><div><br></div><div><br></div><div>I have used the default timeout values in the suricata.yaml</div><div><br></div><div><br></div><div><pre style="font-family:Consolas,Menlo,'Liberation Mono',Courier,monospace;margin-right:1em;margin-left:1.6em;padding:8px;border:1px solid rgb(226,226,226);width:auto;color:rgb(72,72,72);font-size:12px;background-color:rgb(250,250,250)">flow-timeouts:
default:
new: 30 #Time-out in seconds after the last activity in this flow in a New state.
established: 300 #Time-out in seconds after the last activity in this flow in a Established
#state.
emergency_new: 10 #Time-out in seconds after the last activity in this flow in a New state
#during the emergency mode.
emergency_established: 100 #Time-out in seconds after the last activity in this flow in a Established
#state in the emergency mode.
tcp:
new: 60
established: 3600
closed: 120
emergency_new: 10
emergency_established: 300
emergency_closed: 20
udp:
new: 30
established: 300
emergency_new: 10
emergency_established: 100
icmp:
new: 30
established: 300
emergency_new: 10
emergency_established: 100</pre></div><div><br></div><div>I think the timeout is in seconds. So I don't know why Suricata recognized a bid-direction UDP flow as two separated flows.</div><div><br></div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Can anyone please help me on this? </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Thanks a lot!</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"> </span> </div><div><br></div><div><br></div><div>Steven</div><div> </div>
</div></div>