[Oisf-users] Making Suricata Alert Per Matching Packet

Shane Boissevain shaneboissevain at gmail.com
Mon Apr 11 20:46:13 UTC 2016 

Issue in question is that Suricata only alerts once per stream (i think)
instead of once per packet.

To test this, i tcpdumped a connection to google and rewrote it via
tcprewrite, and sent it through suricata via tcpreplay. This allows me to
write an incredibly simple alert, that trips based on port:

> alert tcp any 55582 -> any 80 (msg:"Test Rule";
> classification:policy-violation; sid:9000000; rev:1;)


I'd expect one alert for every packet coming from port 55582 and going to
> port 80 (a total of 18 alerts). However, i only receive a single alert, on
> the first packet that matches (the 8th packet of the pcap):
> # u2spewfoo /var/log/suricata/unified2.alert.1460405506
> (Event)
> sensor id: 0 event id: 1 event second: 1460405857 event microsecond: 55116
> sig id: 9000000 gen id: 1 revision: 1 classification: 0
> priority: 3 ip source: 10.0.0.200 ip destination: 10.0.0.100
> src port: 55582 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0
> Packet
> sensor id: 0 event id: 1 event second: 1460405857
> packet second: 1460405857 packet microsecond: 55116
> linktype: 1 packet_length: 74
> [    0] 00 0C BD 04 98 9D 00 0C BD 04 98 9C 08 00 45 00  ..............E.
> [   16] 00 3C 99 AE 40 00 40 06 8B E2 0A 00 00 C8 0A 00  .<.. at .@.........
> [   32] 00 64 D9 1E 00 50 F9 88 80 9E 00 00 00 00 A0 02  .d...P..........
> [   48] 72 10 4E BD 00 00 02 04 05 B4 04 02 08 0A 05 41  r.N............A
> [   64] 19 30 00 00 00 00 01 03 03 07                    .0........


Is there a setting i'm missing that tells suricata to alert once for every
packet that matches a rule, and not just once per stream?

Here's the output of tcpdump -nr file.pcap:

> 14:57:21.231575 IP 10.0.0.200.32996 > 10.0.0.100.80: Flags [S], seq
> 2861856292, win 29200, options [mss 1460,sackOK,TS val 88152310 ecr
> 0,nop,wscale 7], length 0
> 14:57:21.238724 IP 10.0.0.100.80 > 10.0.0.200.32996: Flags [S.], seq
> 1204143727, ack 2861856293, win 42540, options [mss 1430,sackOK,TS val
> 435988350 ecr 88152310,nop,wscale 7], length 0
> 14:57:21.238734 IP 10.0.0.200.32996 > 10.0.0.100.80: Flags [.], ack 1, win
> 229, options [nop,nop,TS val 88152312 ecr 435988350], length 0
> 14:57:21.238752 IP 10.0.0.200.32996 > 10.0.0.100.80: Flags [P.], seq
> 1:109, ack 1, win 229, options [nop,nop,TS val 88152312 ecr 435988350],
> length 108
> 14:57:21.245265 IP 10.0.0.100.80 > 10.0.0.200.32996: Flags [.], ack 109,
> win 333, options [nop,nop,TS val 435988358 ecr 88152312], length 0
> 14:57:21.445243 IP 10.0.0.100.80 > 10.0.0.200.32996: Flags [P.], seq
> 1:541, ack 109, win 333, options [nop,nop,TS val 435988557 ecr 88152312],
> length 540
> 14:57:21.445248 IP 10.0.0.200.32996 > 10.0.0.100.80: Flags [.], ack 541,
> win 237, options [nop,nop,TS val 88152364 ecr 435988557], length 0
> 14:57:21.463858 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [S], seq
> 4186472606, win 29200, options [mss 1460,sackOK,TS val 88152368 ecr
> 0,nop,wscale 7], length 0
> 14:57:21.470553 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [S.], seq
> 863167093, ack 4186472607, win 42540, options [mss 1430,sackOK,TS val
> 1924274191 ecr 88152368,nop,wscale 7], length 0
> 14:57:21.470562 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 1, win
> 229, options [nop,nop,TS val 88152370 ecr 1924274191], length 0
> 14:57:21.470578 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [P.], seq
> 1:113, ack 1, win 229, options [nop,nop,TS val 88152370 ecr 1924274191],
> length 112
> 14:57:21.480704 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], ack 113,
> win 333, options [nop,nop,TS val 1924274200 ecr 88152370], length 0
> 14:57:21.524940 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 1:1419, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr 88152370],
> length 1418
> 14:57:21.524945 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 1419,
> win 251, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.524987 IP 10.0.0.200.32996 > 10.0.0.100.80: Flags [F.], seq 109,
> ack 541, win 237, options [nop,nop,TS val 88152384 ecr 435988557], length 0
> 14:57:21.525030 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 1419:2837, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 1418
> 14:57:21.525034 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 2837,
> win 274, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.525208 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 2837:4255, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 1418
> 14:57:21.525213 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 4255,
> win 296, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.525407 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 4255:5673, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 1418
> 14:57:21.525412 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 5673,
> win 319, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.525584 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 5673:7091, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 1418
> 14:57:21.525590 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 7091,
> win 342, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.525792 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 7091:9927, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 2836
> 14:57:21.525808 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 9927,
> win 386, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.526026 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 9927:11345, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 1418
> 14:57:21.526041 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 11345,
> win 409, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.526229 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 11345:12763, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 1418
> 14:57:21.526234 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 12763,
> win 431, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.526406 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 12763:14181, ack 113, win 333, options [nop,nop,TS val 1924274244 ecr
> 88152370], length 1418
> 14:57:21.526411 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 14181,
> win 454, options [nop,nop,TS val 88152384 ecr 1924274244], length 0
> 14:57:21.533017 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 14181:15599, ack 113, win 333, options [nop,nop,TS val 1924274252 ecr
> 88152384], length 1418
> 14:57:21.533022 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 15599,
> win 477, options [nop,nop,TS val 88152386 ecr 1924274252], length 0
> 14:57:21.533193 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 15599:17017, ack 113, win 333, options [nop,nop,TS val 1924274252 ecr
> 88152384], length 1418
> 14:57:21.533208 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 17017,
> win 499, options [nop,nop,TS val 88152386 ecr 1924274252], length 0
> 14:57:21.533402 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [.], seq
> 17017:18435, ack 113, win 333, options [nop,nop,TS val 1924274252 ecr
> 88152384], length 1418
> 14:57:21.533407 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 18435,
> win 522, options [nop,nop,TS val 88152386 ecr 1924274252], length 0
> 14:57:21.533410 IP 10.0.0.100.80 > 10.0.0.200.32996: Flags [F.], seq 541,
> ack 110, win 333, options [nop,nop,TS val 435988647 ecr 88152384], length 0
> 14:57:21.533413 IP 10.0.0.200.32996 > 10.0.0.100.80: Flags [.], ack 542,
> win 237, options [nop,nop,TS val 88152386 ecr 435988647], length 0
> 14:57:21.533566 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [P.], seq
> 18435:19712, ack 113, win 333, options [nop,nop,TS val 1924274252 ecr
> 88152384], length 1277
> 14:57:21.533571 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 19712,
> win 544, options [nop,nop,TS val 88152386 ecr 1924274252], length 0
> 14:57:21.533751 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [F.], seq 113,
> ack 19712, win 544, options [nop,nop,TS val 88152386 ecr 1924274252],
> length 0
> 14:57:21.540583 IP 10.0.0.100.80 > 10.0.0.200.55582: Flags [F.], seq
> 19712, ack 114, win 333, options [nop,nop,TS val 1924274260 ecr 88152386],
> length 0
> 14:57:21.540587 IP 10.0.0.200.55582 > 10.0.0.100.80: Flags [.], ack 19713,
> win 544, options [nop,nop,TS val 88152388 ecr 1924274260], length 0


Sincerely,
Shane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/daaf9727/attachment-0001.html>

More information about the Oisf-users mailing list