[Oisf-users] Making Suricata Alert Per Matching Packet

Shane Boissevain shaneboissevain at gmail.com
Mon Apr 11 22:30:18 UTC 2016 

Coop,

Good call on the offloading, but i've already learned that one the hard
way. I did double check it though, and

> ethtool -K enp1s0f0 tso off gso off gro off

has already been run to turn all offloading off. I also verified via
tcpdump that suricata does see all of the packets, and that none were
dropped by the kernel.

It is my understanding that while unified2 is best effort on logging
packets, it certainly should log all alerts that suricata generates. The
point of this (for me) is to understand why suricata is not behaving the
way i would expect it to. My intent is not to find a way to log all packets
from an IP (if i want to just log the packets, i would simply use tcpdump).

I understand that the threshold is usually set to avoid WAY to many alerts.
However, with it off, I would think that the signature would trip an alert
for each packet seen.

So i guess my refined-refined question is:
Should the above "Test Rule 2" IP-Only Signature (with no thresholding in
place) trip on every packet seen from 10.0.0.100, or only on the first
packet of the session? It seems intuitive to me that it would trip on every
packet, but this is not the behavior I'm experiencing.

~ Shane

On Mon, Apr 11, 2016 at 4:59 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Well, first of all IP-only rules usually have a threshold set as most
> folks don't want them alerting constantly.
>
> In your example I can think of a few cases why the observed behavior
> might be happening.
>
> One, you may have some offloading enabled on your NIC.  Best practice is
> to disable it.  Check the documentation here for instructions:
>
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>
> Two, I know that the unified2 logging is a "best effort" and may not
> always log all packets.
>
> I was going to mention this earlier, but if I was interested in matching
> on all packets I would just use bpf filters and full-packet capture.
>
> -Coop
>
> On 4/11/2016 2:44 PM, Shane Boissevain wrote:
> > Coop,
> >
> > Thank's for the speedy reply. I've confirmed that by playing with the
> flags
> > option i can get suricata to trip on the desired 18 packets.
> >
> > However, I suppose my question isn't so much as "how do i get this to
> trip
> > on these packets" and more of why doesn't that signature trip on all of
> > these packets?
> >
> > For example, if i add a reputation alert (based off of those found at
> > Emerging Threat's drop.rules file:
> >
> > alert ip 10.0.0.100 any -> any any (msg:"TEST Rule 2";
> >> classtype:misc-attack; sid:9000002; rev:1;)
> >
> >
> > I would expect there to be 20 alerts tripped, as I send 20 packets that
> > have the source ip of 10.0.0.100 (as verified below):
> >
> > # tcpdump -nr test.pcap src net 10.0.0.100 | wc
> >>      20 lines
> >
> >
> > However, I only see 5 total alerts...verified by:
> >
> > # u2spewfoo unified2.alert.1460410545  | grep '(Event)' | wc
> >>       5 lines
> >
> >
> > ~ Shane
> >
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/7c2afd29/attachment-0002.html>

More information about the Oisf-users mailing list