[Oisf-users] Suricata not logging drops

Michael J. Sheldon msheldon at godaddy.com
Mon Oct 10 16:52:13 UTC 2016 

Sorry, missed that. Running in mpipe mode

exec hugectl --heap /usr/local/bin/suricata --mpipe

Michael Sheldon
Dev-DNS Services
GoDaddy.com

________________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Andreas Herz <andi at geekosphere.org>
Sent: Sunday, October 9, 2016 12:43
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata not logging drops

On 04/10/16 at 16:22, Michael J. Sheldon wrote:
> yaml file attached

Can you also be specific about _how_ you run suricata?
So NFQUEUE or AF_PACKET IPS mode?
Or paste the commandline you use to start suricata

>
>
> Michael Sheldon
> Dev-DNS Services
> GoDaddy.com
>
> ________________________________________
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
> Sent: Monday, October 3, 2016 23:52
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata not logging drops
>
> On 03-10-16 20:39, Michael J. Sheldon wrote:
> > I retested, with ALL logs disabled except the drop log. Still no logged drops.
> > Switched drop.log off, retried eve with only drop enabled, no logged drop.
> > Turned eve alert logging on, drop was logged as an alert, action "allowed"
> >
> > Another curiosity is the dns.log
> > If the query is not answered, it is not logged. (Not dropped by suricata, dropped by the dns server)
> > If I use eve for dns logging, it shows the query, dropped or not, no matter whether suricata dropped it, or the dns server dropped it.
> >
> > Note that at one point I had lua output enabled. If "dns" protocol was enabled, it also did not log dns requests that were not answered. If instead output was set to type="packet", it was always logged, regardless of drop or not, but DnsGetQueries() always returns nil, so I cannot see the dns query.
> >
> > All tests done with file-based logs, redis disabled.
>
> How are you running Suricata? What IPS mode are you using? Can you share
> the capture related part of your yaml (or the whole yaml)?
>
> Cheers,
> Victor
>
>
> > Michael Sheldon
> > Dev-DNS Services
> > GoDaddy.com
> >
> > ________________________________________
> > From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
> > Sent: Saturday, October 1, 2016 05:47
> > To: oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Suricata not logging drops
> >
> > On 01-10-16 01:14, Michael J. Sheldon wrote:
> >> I'm going absolutely crazy on this one.
> >> Suricata version is 3.1.2
> >>
> >> We have suricata running in IPS mode, and it's working just fine.
> >>
> >> I have this rule:
> >> drop dns any any -> any 53 (msg:"Config zone filter"; dns_query; content:"zone.test"; nocase; sid:3200017;)
> >>
> >> And it works, a query for that zone is dropped.
> >>
> >> However, I cannot get suricata to log it as a drop via eve or in the drop log. I get absolutely nothing. The closest I get is to enable alert logging in eve, which does log it as an alert, with action "allowed"
> >>
> >>   - eve-log:
> >>       enabled: yes
> >>       type: redis #file|syslog|unix_dgram|unix_stream
> >>       redis:
> >>           server: 127.0.0.1
> >>           port: 6379
> >>           mode: list ##list|channel
> >>           key: suricata ##key or channel
> >>       types:
> >>         - alert
> >>         - drop
> >>
> >> I have also tried it with:
> >>         - drop:
> >>             alerts: yes
> >>             flows: all
> >>
> >> Identical results when eve is logged to file instead of redis
> >>
> >> {"timestamp":"2016-09-30T22:56:39.998408+0000","flow_id":2034018894167048,"event_type":"alert","src_ip":"10.0.0.102","src_port":48344,"dest_ip":"10.0.0.101","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3200017,"rev":0,"signature":"Config zone filter","category":"","severity":3}}
> >>
> >> If I turn alert logging off, I get nothing.
> >>
> >> Likewise, If I turn drop logging off in eve, and enable the regular drop log, I get nothing.
> >
> > Seems to work from here. I created:
> > drop dns any any -> any 53 (msg:"DROP DNS query for godaddy.com";
> > dns_query; content:"godaddy.com"; nocase; sid:4000000002;)
> >
> > Did a query, saw it time out. Part of the alert:
> >
> >     "tx_id": 0,
> >     "alert": {
> >       "action": "blocked",
> >       "gid": 1,
> >       "signature_id": 4000000002,
> >       "rev": 0,
> >       "signature": "DROP DNS query for godaddy.com",
> >       "category": "",
> >       "severity": 3
> >     },
> >
> > Part of Drop log:
> >
> >     "event_type": "drop",
> >     "src_port": 41757,
> >     "dest_port": 53,
> >     "proto": "UDP",
> >     "drop": {
> >       "len": 68,
> >       "tos": 0,
> >       "ttl": 64,
> >       "ipid": 58283,
> >       "udplen": 48
> >     },
> >     "tx_id": 0,
> >     "alert": {
> >       "action": "blocked",
> >       "gid": 1,
> >       "signature_id": 4000000002,
> >       "rev": 0,
> >       "signature": "DROP DNS query for godaddy.com",
> >       "category": "",
> >       "severity": 3
> >     },
> >
> >> What the heck am I missing?
> >
> > Do you have multiple instances of EVE, one to disk and one to redis
> > perhaps? Due to some internal limits only one drop log works currently.
> > It should lead to a warning at start up though.
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net


> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net


--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net

More information about the Oisf-users mailing list