[Oisf-users] Suricata netflow output

Qinwen Hu qhu009 at aucklanduni.ac.nz
Tue Oct 6 21:35:52 UTC 2015 

Hi All,

Hi,

I am tring to enable the netflow module for logging  one way flow in
suricata.

I have done this config:
- eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream
      filename: eve.json
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert
        #- http:
            extended: yes     # enable this for extended logging
information
            # custom allows additional http fields to be included in
eve-log
            # the example below adds three additional fields when
uncommented
            #custom: [Accept-Encoding, Accept-Language, Authorization]
        #- dns
        #- tls:
            extended: yes     # enable this for extended logging
information
        #- files:
            force-magic: yes   # force logging magic on all logged files
            force-md5: yes     # force logging of md5 checksums
        #- drop
        #- ssh
        #- smtp
        #- flow
        - netflow


As soon as I launch my Suricata

sudo suricata -c /etc/suricata/suricata.yaml -k none -i eth0

the eve.json file is generated.  But it seems that netflow are not working
correctly.


For instance, 130.216.30.1 sent a UDP packet to  115.212.89.117, the src
port is 53992 and the dest port is 1526, less than 1s, the reply come back
from 115.212.89.117. But Suricata has recognized this as a netflow ( one
way flow).

{"timestamp":"2015-10-07T10:13:38.000274+1300","flow_id":35919104,"event_type":"netflow","src_ip":"130.216.30.131","src_port":53992,"dest_ip":"115.212.89.117","dest_port":1526,"proto":"UDP","netflow":{"pkts":1,"bytes":71,"start":"2015-10-07T10:13:07.795117+1300","end":"2015-10-07T10:13:07.795117+1300","age":0}}
{"timestamp":"2015-10-07T10:13:38.000540+1300","flow_id":35919104,"event_type":"netflow","src_ip":"115.212.89.117","src_port":1526,"dest_ip":"130.216.30.131","dest_port":53992,"proto":"UDP","netflow":{"pkts":0,"bytes":0,"start":"2015-10-07T10:13:07.795117+1300","end":"2015-10-07T10:13:07.795117+1300","age":0}}
{"timestamp":"2015-10-07T10:13:38.000621+1300","flow_id":35896304,"event_type":"netflow","src_ip":"202.36.245.26","src_port":18169,"dest_ip":"104.44.96.233","dest_port":50005,"proto":"UDP","netflow":{"pkts":1,"bytes":478,"start":"2015-10-07T10:13:07.794299+1300","end":"2015-10-07T10:13:07.794299+1300","age":0}}
{"timestamp":"2015-10-07T10:13:38.000661+1300","flow_id":35896304,"event_type":"netflow","src_ip":"104.44.96.233","src_port":50005,"dest_ip":"202.36.245.26","dest_port":18169,"proto":"UDP","netflow":{"pkts":0,"bytes":0,"start":"2015-10-07T10:13:07.794299+1300","end":"2015-10-07T10:13:07.794299+1300","age":0}}
{"timestamp":"2015-10-07T10:13:38.000697+1300","flow_id":35864080,"event_type":"netflow","src_ip":"1.9.107.0","src_port":11965,"dest_ip":"130.216.30.132","dest_port":61491,"proto":"UDP","netflow":{"pkts":1,"bytes":89,"start":"2015-10-07T10:13:07.793183+1300","end":"2015-10-07T10:13:07.793183+1300","age":0}}
{"timestamp":"2015-10-07T10:13:38.000733+1300","flow_id":35864080,"event_type":"netflow","src_ip":"130.216.30.132","src_port":61491,"dest_ip":"1.9.107.0","dest_port":11965,"proto":"UDP","netflow":{"pkts":0,"bytes":0,"start":"2015-10-07T10:13:07.793183+1300","end":"2015-10-07T10:13:07.793183+1300","age":0}}


I have used the default timeout values in the suricata.yaml


flow-timeouts:

  default:
    new: 30                     #Time-out in seconds after the last
activity in this flow in a New state.
    established: 300            #Time-out in seconds after the last
activity in this flow in a Established
                                #state.
    emergency_new: 10           #Time-out in seconds after the last
activity in this flow in a New state
                                #during the emergency mode.
    emergency_established: 100  #Time-out in seconds after the last
activity in this flow in a Established
                                #state in the emergency mode.
  tcp:
    new: 60
    established: 3600
    closed: 120
    emergency_new: 10
    emergency_established: 300
    emergency_closed: 20
  udp:
    new: 30
    established: 300
    emergency_new: 10
    emergency_established: 100
  icmp:
    new: 30
    established: 300
    emergency_new: 10
    emergency_established: 100


I think the timeout is  in seconds. So I don't know why Suricata recognized
a bid-direction UDP flow as two separated flows.

Can anyone please help me on this?
Thanks a lot!


Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151007/24d819cc/attachment.html>

More information about the Oisf-users mailing list