<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We are logging flow data with Suricata with the following settings in the yaml:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> - eve-log:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> enabled: true<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> filetype: regular<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> filename: flow.json<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> types:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> - flow<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The issue we have is we are not seeing any ICMP data the flow logs. We have tpc, udp, IPV6-ICMP, and SCTP. Is there an option in the yaml that I am missing, is it a part of another log, or is it a bug?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Below is the build info for Suricata.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Joseph Feather<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Build Info:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This is Suricata version 4.0.3 RELEASE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">SIMD support: none<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Atomic intrisics: 1 2 4 8 byte(s)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">64-bits, Little-endian architecture<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with _FORTIFY_SOURCE=2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">L1 cache line size (CLS)=64<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">thread local storage method: __thread<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Suricata Configuration:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> AF_PACKET support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> PF_RING support: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> NFQueue support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> NFLOG support: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> IPFW support: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Netmap support: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> DAG enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Napatech enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Unix socket enabled: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Detection enabled: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Libmagic support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> libnss support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> libnspr support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> libjansson support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> hiredis support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> hiredis async with libevent: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Prelude support: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> PCRE jit: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> LUA support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> libluajit: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> libgeoip: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Non-bundled htp: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Old barnyard2 support: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> CUDA enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Hyperscan support: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Libnet support: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Rust support (experimental): no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Experimental Rust parsers: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Rust strict mode: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Suricatasc install: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Profiling enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Profiling locks enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Development settings:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Coccinelle / spatch: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Unit tests enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Debug output enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Debug validation enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Generic build parameters:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Installation prefix: /usr<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Configuration directory: /etc/suricata/<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Log directory: /var/log/suricata/<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> --prefix /usr<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> --sysconfdir /etc<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> --localstatedir /var<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Host: x86_64-redhat-linux-gnu<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Compiler: gcc -std=gnu99 (exec name) / gcc (real)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> GCC Protect enabled: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> GCC march native enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> GCC Profile enabled: no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Position Independent Executable enabled: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> CFLAGS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> PCAP_CFLAGS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security<o:p></o:p></span></p>
</div>
<br>
<br>
Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
<br>
<br>
Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this
message by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this message in error, please contact the sender and delete it from your computer.
</body>
</html>