[Oisf-users] Suricata not logging drops

Victor Julien lists at inliniac.net
Tue Oct 4 06:52:57 UTC 2016 

On 03-10-16 20:39, Michael J. Sheldon wrote:
> I retested, with ALL logs disabled except the drop log. Still no logged drops.
> Switched drop.log off, retried eve with only drop enabled, no logged drop.
> Turned eve alert logging on, drop was logged as an alert, action "allowed"
> 
> Another curiosity is the dns.log
> If the query is not answered, it is not logged. (Not dropped by suricata, dropped by the dns server)
> If I use eve for dns logging, it shows the query, dropped or not, no matter whether suricata dropped it, or the dns server dropped it.
> 
> Note that at one point I had lua output enabled. If "dns" protocol was enabled, it also did not log dns requests that were not answered. If instead output was set to type="packet", it was always logged, regardless of drop or not, but DnsGetQueries() always returns nil, so I cannot see the dns query.
> 
> All tests done with file-based logs, redis disabled.

How are you running Suricata? What IPS mode are you using? Can you share
the capture related part of your yaml (or the whole yaml)?

Cheers,
Victor


> Michael Sheldon
> Dev-DNS Services
> GoDaddy.com
> 
> ________________________________________
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
> Sent: Saturday, October 1, 2016 05:47
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata not logging drops
> 
> On 01-10-16 01:14, Michael J. Sheldon wrote:
>> I'm going absolutely crazy on this one.
>> Suricata version is 3.1.2
>>
>> We have suricata running in IPS mode, and it's working just fine.
>>
>> I have this rule:
>> drop dns any any -> any 53 (msg:"Config zone filter"; dns_query; content:"zone.test"; nocase; sid:3200017;)
>>
>> And it works, a query for that zone is dropped.
>>
>> However, I cannot get suricata to log it as a drop via eve or in the drop log. I get absolutely nothing. The closest I get is to enable alert logging in eve, which does log it as an alert, with action "allowed"
>>
>>   - eve-log:
>>       enabled: yes
>>       type: redis #file|syslog|unix_dgram|unix_stream
>>       redis:
>>           server: 127.0.0.1
>>           port: 6379
>>           mode: list ##list|channel
>>           key: suricata ##key or channel
>>       types:
>>         - alert
>>         - drop
>>
>> I have also tried it with:
>>         - drop:
>>             alerts: yes
>>             flows: all
>>
>> Identical results when eve is logged to file instead of redis
>>
>> {"timestamp":"2016-09-30T22:56:39.998408+0000","flow_id":2034018894167048,"event_type":"alert","src_ip":"10.0.0.102","src_port":48344,"dest_ip":"10.0.0.101","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3200017,"rev":0,"signature":"Config zone filter","category":"","severity":3}}
>>
>> If I turn alert logging off, I get nothing.
>>
>> Likewise, If I turn drop logging off in eve, and enable the regular drop log, I get nothing.
> 
> Seems to work from here. I created:
> drop dns any any -> any 53 (msg:"DROP DNS query for godaddy.com";
> dns_query; content:"godaddy.com"; nocase; sid:4000000002;)
> 
> Did a query, saw it time out. Part of the alert:
> 
>     "tx_id": 0,
>     "alert": {
>       "action": "blocked",
>       "gid": 1,
>       "signature_id": 4000000002,
>       "rev": 0,
>       "signature": "DROP DNS query for godaddy.com",
>       "category": "",
>       "severity": 3
>     },
> 
> Part of Drop log:
> 
>     "event_type": "drop",
>     "src_port": 41757,
>     "dest_port": 53,
>     "proto": "UDP",
>     "drop": {
>       "len": 68,
>       "tos": 0,
>       "ttl": 64,
>       "ipid": 58283,
>       "udplen": 48
>     },
>     "tx_id": 0,
>     "alert": {
>       "action": "blocked",
>       "gid": 1,
>       "signature_id": 4000000002,
>       "rev": 0,
>       "signature": "DROP DNS query for godaddy.com",
>       "category": "",
>       "severity": 3
>     },
> 
>> What the heck am I missing?
> 
> Do you have multiple instances of EVE, one to disk and one to redis
> perhaps? Due to some internal limits only one drop log works currently.
> It should lead to a warning at start up though.
> 
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list