[Oisf-users] Suricata not logging drops

Michael J. Sheldon msheldon at godaddy.com
Mon Oct 3 18:39:42 UTC 2016 

I retested, with ALL logs disabled except the drop log. Still no logged drops.
Switched drop.log off, retried eve with only drop enabled, no logged drop.
Turned eve alert logging on, drop was logged as an alert, action "allowed"

Another curiosity is the dns.log
If the query is not answered, it is not logged. (Not dropped by suricata, dropped by the dns server)
If I use eve for dns logging, it shows the query, dropped or not, no matter whether suricata dropped it, or the dns server dropped it.

Note that at one point I had lua output enabled. If "dns" protocol was enabled, it also did not log dns requests that were not answered. If instead output was set to type="packet", it was always logged, regardless of drop or not, but DnsGetQueries() always returns nil, so I cannot see the dns query.

All tests done with file-based logs, redis disabled.

Michael Sheldon
Dev-DNS Services
GoDaddy.com

________________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
Sent: Saturday, October 1, 2016 05:47
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata not logging drops

On 01-10-16 01:14, Michael J. Sheldon wrote:
> I'm going absolutely crazy on this one.
> Suricata version is 3.1.2
>
> We have suricata running in IPS mode, and it's working just fine.
>
> I have this rule:
> drop dns any any -> any 53 (msg:"Config zone filter"; dns_query; content:"zone.test"; nocase; sid:3200017;)
>
> And it works, a query for that zone is dropped.
>
> However, I cannot get suricata to log it as a drop via eve or in the drop log. I get absolutely nothing. The closest I get is to enable alert logging in eve, which does log it as an alert, with action "allowed"
>
>   - eve-log:
>       enabled: yes
>       type: redis #file|syslog|unix_dgram|unix_stream
>       redis:
>           server: 127.0.0.1
>           port: 6379
>           mode: list ##list|channel
>           key: suricata ##key or channel
>       types:
>         - alert
>         - drop
>
> I have also tried it with:
>         - drop:
>             alerts: yes
>             flows: all
>
> Identical results when eve is logged to file instead of redis
>
> {"timestamp":"2016-09-30T22:56:39.998408+0000","flow_id":2034018894167048,"event_type":"alert","src_ip":"10.0.0.102","src_port":48344,"dest_ip":"10.0.0.101","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3200017,"rev":0,"signature":"Config zone filter","category":"","severity":3}}
>
> If I turn alert logging off, I get nothing.
>
> Likewise, If I turn drop logging off in eve, and enable the regular drop log, I get nothing.

Seems to work from here. I created:
drop dns any any -> any 53 (msg:"DROP DNS query for godaddy.com";
dns_query; content:"godaddy.com"; nocase; sid:4000000002;)

Did a query, saw it time out. Part of the alert:

    "tx_id": 0,
    "alert": {
      "action": "blocked",
      "gid": 1,
      "signature_id": 4000000002,
      "rev": 0,
      "signature": "DROP DNS query for godaddy.com",
      "category": "",
      "severity": 3
    },

Part of Drop log:

    "event_type": "drop",
    "src_port": 41757,
    "dest_port": 53,
    "proto": "UDP",
    "drop": {
      "len": 68,
      "tos": 0,
      "ttl": 64,
      "ipid": 58283,
      "udplen": 48
    },
    "tx_id": 0,
    "alert": {
      "action": "blocked",
      "gid": 1,
      "signature_id": 4000000002,
      "rev": 0,
      "signature": "DROP DNS query for godaddy.com",
      "category": "",
      "severity": 3
    },

> What the heck am I missing?

Do you have multiple instances of EVE, one to disk and one to redis
perhaps? Due to some internal limits only one drop log works currently.
It should lead to a warning at start up though.

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net

More information about the Oisf-users mailing list