[Oisf-users] Suricata not logging drops

Victor Julien lists at inliniac.net
Sat Oct 1 12:47:52 UTC 2016 

On 01-10-16 01:14, Michael J. Sheldon wrote:
> I'm going absolutely crazy on this one.
> Suricata version is 3.1.2
> 
> We have suricata running in IPS mode, and it's working just fine.
> 
> I have this rule:
> drop dns any any -> any 53 (msg:"Config zone filter"; dns_query; content:"zone.test"; nocase; sid:3200017;)
> 
> And it works, a query for that zone is dropped.
> 
> However, I cannot get suricata to log it as a drop via eve or in the drop log. I get absolutely nothing. The closest I get is to enable alert logging in eve, which does log it as an alert, with action "allowed"
> 
>   - eve-log:
>       enabled: yes
>       type: redis #file|syslog|unix_dgram|unix_stream
>       redis:
>           server: 127.0.0.1
>           port: 6379
>           mode: list ##list|channel
>           key: suricata ##key or channel
>       types:
>         - alert
>         - drop
> 
> I have also tried it with:
>         - drop:
>             alerts: yes
>             flows: all
> 
> Identical results when eve is logged to file instead of redis
> 
> {"timestamp":"2016-09-30T22:56:39.998408+0000","flow_id":2034018894167048,"event_type":"alert","src_ip":"10.0.0.102","src_port":48344,"dest_ip":"10.0.0.101","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3200017,"rev":0,"signature":"Config zone filter","category":"","severity":3}}
> 
> If I turn alert logging off, I get nothing.
> 
> Likewise, If I turn drop logging off in eve, and enable the regular drop log, I get nothing.

Seems to work from here. I created:
drop dns any any -> any 53 (msg:"DROP DNS query for godaddy.com";
dns_query; content:"godaddy.com"; nocase; sid:4000000002;)

Did a query, saw it time out. Part of the alert:

    "tx_id": 0,
    "alert": {
      "action": "blocked",
      "gid": 1,
      "signature_id": 4000000002,
      "rev": 0,
      "signature": "DROP DNS query for godaddy.com",
      "category": "",
      "severity": 3
    },

Part of Drop log:

    "event_type": "drop",
    "src_port": 41757,
    "dest_port": 53,
    "proto": "UDP",
    "drop": {
      "len": 68,
      "tos": 0,
      "ttl": 64,
      "ipid": 58283,
      "udplen": 48
    },
    "tx_id": 0,
    "alert": {
      "action": "blocked",
      "gid": 1,
      "signature_id": 4000000002,
      "rev": 0,
      "signature": "DROP DNS query for godaddy.com",
      "category": "",
      "severity": 3
    },

> What the heck am I missing?

Do you have multiple instances of EVE, one to disk and one to redis
perhaps? Due to some internal limits only one drop log works currently.
It should lead to a warning at start up though.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list