[Oisf-users] Suricata not logging drops
Victor Julien
lists at inliniac.net
Wed Oct 12 09:01:24 UTC 2016
On 11-10-16 21:55, Michael J. Sheldon wrote:
> --simulate-ips works, any issues with running it that way?
I don't see any now, but this option is not meant to be used like this
so it's behaviour may change in the future.
Cheers,
Victor
>
> Michael Sheldon
> Dev-DNS Services
> GoDaddy.com
>
> ________________________________________
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
> Sent: Tuesday, October 11, 2016 10:42
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata not logging drops
>
> On 10-10-16 18:52, Michael J. Sheldon wrote:
>> Sorry, missed that. Running in mpipe mode
>>
>> exec hugectl --heap /usr/local/bin/suricata --mpipe
>
> So it looks like the Tilera/mpipe code never tells the engine it's in
> IPS mode. Can you try adding --simulate-ips to your start up line? It
> triggers the required 'EngineModeSetIPS()' call.
>
> A general warning on Tilera use: we're not testing Tilera support at all
> and AFAIK neither is Tilera after their acquisition.
>
> Cheers,
> Victor
>
>>
>> Michael Sheldon
>> Dev-DNS Services
>> GoDaddy.com
>>
>> ________________________________________
>> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Andreas Herz <andi at geekosphere.org>
>> Sent: Sunday, October 9, 2016 12:43
>> To: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata not logging drops
>>
>> On 04/10/16 at 16:22, Michael J. Sheldon wrote:
>>> yaml file attached
>>
>> Can you also be specific about _how_ you run suricata?
>> So NFQUEUE or AF_PACKET IPS mode?
>> Or paste the commandline you use to start suricata
>>
>>>
>>>
>>> Michael Sheldon
>>> Dev-DNS Services
>>> GoDaddy.com
>>>
>>> ________________________________________
>>> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
>>> Sent: Monday, October 3, 2016 23:52
>>> To: oisf-users at lists.openinfosecfoundation.org
>>> Subject: Re: [Oisf-users] Suricata not logging drops
>>>
>>> On 03-10-16 20:39, Michael J. Sheldon wrote:
>>>> I retested, with ALL logs disabled except the drop log. Still no logged drops.
>>>> Switched drop.log off, retried eve with only drop enabled, no logged drop.
>>>> Turned eve alert logging on, drop was logged as an alert, action "allowed"
>>>>
>>>> Another curiosity is the dns.log
>>>> If the query is not answered, it is not logged. (Not dropped by suricata, dropped by the dns server)
>>>> If I use eve for dns logging, it shows the query, dropped or not, no matter whether suricata dropped it, or the dns server dropped it.
>>>>
>>>> Note that at one point I had lua output enabled. If "dns" protocol was enabled, it also did not log dns requests that were not answered. If instead output was set to type="packet", it was always logged, regardless of drop or not, but DnsGetQueries() always returns nil, so I cannot see the dns query.
>>>>
>>>> All tests done with file-based logs, redis disabled.
>>>
>>> How are you running Suricata? What IPS mode are you using? Can you share
>>> the capture related part of your yaml (or the whole yaml)?
>>>
>>> Cheers,
>>> Victor
>>>
>>>
>>>> Michael Sheldon
>>>> Dev-DNS Services
>>>> GoDaddy.com
>>>>
>>>> ________________________________________
>>>> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
>>>> Sent: Saturday, October 1, 2016 05:47
>>>> To: oisf-users at lists.openinfosecfoundation.org
>>>> Subject: Re: [Oisf-users] Suricata not logging drops
>>>>
>>>> On 01-10-16 01:14, Michael J. Sheldon wrote:
>>>>> I'm going absolutely crazy on this one.
>>>>> Suricata version is 3.1.2
>>>>>
>>>>> We have suricata running in IPS mode, and it's working just fine.
>>>>>
>>>>> I have this rule:
>>>>> drop dns any any -> any 53 (msg:"Config zone filter"; dns_query; content:"zone.test"; nocase; sid:3200017;)
>>>>>
>>>>> And it works, a query for that zone is dropped.
>>>>>
>>>>> However, I cannot get suricata to log it as a drop via eve or in the drop log. I get absolutely nothing. The closest I get is to enable alert logging in eve, which does log it as an alert, with action "allowed"
>>>>>
>>>>> - eve-log:
>>>>> enabled: yes
>>>>> type: redis #file|syslog|unix_dgram|unix_stream
>>>>> redis:
>>>>> server: 127.0.0.1
>>>>> port: 6379
>>>>> mode: list ##list|channel
>>>>> key: suricata ##key or channel
>>>>> types:
>>>>> - alert
>>>>> - drop
>>>>>
>>>>> I have also tried it with:
>>>>> - drop:
>>>>> alerts: yes
>>>>> flows: all
>>>>>
>>>>> Identical results when eve is logged to file instead of redis
>>>>>
>>>>> {"timestamp":"2016-09-30T22:56:39.998408+0000","flow_id":2034018894167048,"event_type":"alert","src_ip":"10.0.0.102","src_port":48344,"dest_ip":"10.0.0.101","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3200017,"rev":0,"signature":"Config zone filter","category":"","severity":3}}
>>>>>
>>>>> If I turn alert logging off, I get nothing.
>>>>>
>>>>> Likewise, If I turn drop logging off in eve, and enable the regular drop log, I get nothing.
>>>>
>>>> Seems to work from here. I created:
>>>> drop dns any any -> any 53 (msg:"DROP DNS query for godaddy.com";
>>>> dns_query; content:"godaddy.com"; nocase; sid:4000000002;)
>>>>
>>>> Did a query, saw it time out. Part of the alert:
>>>>
>>>> "tx_id": 0,
>>>> "alert": {
>>>> "action": "blocked",
>>>> "gid": 1,
>>>> "signature_id": 4000000002,
>>>> "rev": 0,
>>>> "signature": "DROP DNS query for godaddy.com",
>>>> "category": "",
>>>> "severity": 3
>>>> },
>>>>
>>>> Part of Drop log:
>>>>
>>>> "event_type": "drop",
>>>> "src_port": 41757,
>>>> "dest_port": 53,
>>>> "proto": "UDP",
>>>> "drop": {
>>>> "len": 68,
>>>> "tos": 0,
>>>> "ttl": 64,
>>>> "ipid": 58283,
>>>> "udplen": 48
>>>> },
>>>> "tx_id": 0,
>>>> "alert": {
>>>> "action": "blocked",
>>>> "gid": 1,
>>>> "signature_id": 4000000002,
>>>> "rev": 0,
>>>> "signature": "DROP DNS query for godaddy.com",
>>>> "category": "",
>>>> "severity": 3
>>>> },
>>>>
>>>>> What the heck am I missing?
>>>>
>>>> Do you have multiple instances of EVE, one to disk and one to redis
>>>> perhaps? Due to some internal limits only one drop log works currently.
>>>> It should lead to a warning at start up though.
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>>>
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>
>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>
>>
>> --
>> Andreas Herz
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list