<div dir="ltr">Coop,<div><br></div><div>Good call on the offloading, but i've already learned that one the hard way. I did double check it though, and </div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><font face="monospace, monospace">ethtool -K enp1s0f0 tso off gso off gro off</font></blockquote><div>has already been run to turn all offloading off. I also verified via tcpdump that suricata does see all of the packets, and that none were dropped by the kernel.</div></div><div><br></div><div>It is my understanding that while unified2 is best effort on logging packets, it certainly should log all alerts that suricata generates. The point of this (for me) is to understand why suricata is not behaving the way i would expect it to. My intent is not to find a way to log all packets from an IP (if i want to just log the packets, i would simply use tcpdump).</div><div><div><br></div><div><div>I understand that the threshold is usually set to avoid WAY to many alerts. However, with it off, I would think that the signature would trip an alert for each packet seen. </div></div><div><br></div><div>So i guess my refined-refined question is:</div><div>Should the above "Test Rule 2" IP-Only Signature (with no thresholding in place) trip on every packet seen from 10.0.0.100, or only on the first packet of the session? It seems intuitive to me that it would trip on every packet, but this is not the behavior I'm experiencing. </div><div><br></div><div>~ Shane</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 11, 2016 at 4:59 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Well, first of all IP-only rules usually have a threshold set as most<br>
folks don't want them alerting constantly.<br>
<br>
In your example I can think of a few cases why the observed behavior<br>
might be happening.<br>
<br>
One, you may have some offloading enabled on your NIC. Best practice is<br>
to disable it. Check the documentation here for instructions:<br>
<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction</a><br>
<br>
Two, I know that the unified2 logging is a "best effort" and may not<br>
always log all packets.<br>
<br>
I was going to mention this earlier, but if I was interested in matching<br>
on all packets I would just use bpf filters and full-packet capture.<br>
<br>
-Coop<br>
<div class="HOEnZb"><div class="h5"><br>
On 4/11/2016 2:44 PM, Shane Boissevain wrote:<br>
> Coop,<br>
><br>
> Thank's for the speedy reply. I've confirmed that by playing with the flags<br>
> option i can get suricata to trip on the desired 18 packets.<br>
><br>
> However, I suppose my question isn't so much as "how do i get this to trip<br>
> on these packets" and more of why doesn't that signature trip on all of<br>
> these packets?<br>
><br>
> For example, if i add a reputation alert (based off of those found at<br>
> Emerging Threat's drop.rules file:<br>
><br>
> alert ip 10.0.0.100 any -> any any (msg:"TEST Rule 2";<br>
>> classtype:misc-attack; sid:9000002; rev:1;)<br>
><br>
><br>
> I would expect there to be 20 alerts tripped, as I send 20 packets that<br>
> have the source ip of 10.0.0.100 (as verified below):<br>
><br>
> # tcpdump -nr test.pcap src net 10.0.0.100 | wc<br>
>> 20 lines<br>
><br>
><br>
> However, I only see 5 total alerts...verified by:<br>
><br>
> # u2spewfoo unified2.alert.1460410545 | grep '(Event)' | wc<br>
>> 5 lines<br>
><br>
><br>
> ~ Shane<br>
><br>
<br>
<br>
</div></div><div class="HOEnZb"><div class="h5">--<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ITS Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
<br>
</div></div></blockquote></div><br></div>