[Oisf-users] Suricata 4.1-beta1 and bpf filters
C. L. Martinez
carlopmart at gmail.com
Tue Jun 19 07:46:19 UTC 2018
No, nothing. But in eve.json only appears logs like:
{"timestamp":"2018-06-19T07:39:39.798652+0000","event_type":"stats","stats":{"uptime":490,"capture":{"kernel_packets":642751,"kernel_drops":0,"bypassed":6133213300033},"decoder":{"pkts":643025,"bytes":47651302,"invalid":0,"ipv4":643025,"ipv6":0,"ethernet":643025,"raw":0,"null":0,"sll":0,"tcp":643025,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":643025,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":74,"max_pkt_size":1058,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":288796,"udp":0,"icmpv4":0,"icmpv6":0,"spare":400000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":142475512},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":189559,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":329034,"synack":0,"rst":0,"midstream_pickups":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":18350080,"reassembly_memuse":2621440},"detect":{"engines":[{"id":0,"last_reload":"2018-06-19T07:31:42.602932+0000","rules_loaded":18078,"rules_failed":0}],"alert":0,"mpm_list":0,"nonmpm_list":1161,"fnonmpm_list":1158,"match_list":1158},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"ftp-data":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"ftp-data":0,"dcerpc_udp":0,"dns_udp":0},"expectations":0},"flow_mgr":{"closed_pruned":0,"new_pruned":245579,"est_pruned":0,"bypassed_pruned":0,"flows_checked":1935,"flows_notimeout":1935,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":64018,"rows_empty":298,"rows_busy":0,"rows_maxlen":5},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0}}}
Only when suricata stops appears logs and flows as timeout like for example:
{"timestamp":"2018-06-19T07:39:39.796916+0000","flow_id":1970306366359069,"event_type":"flow","src_ip":"
192.168.5.253
","src_port":43376,"dest_ip":"10.2.31.208","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":156,"bytes_toclient":0,"start":"2018-06-19T07:38:56.378397+0000","end":"2018-06-19T07:38:56.378405+0000","age":0,"state":"new","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
On Tue, Jun 19, 2018 at 9:08 AM, Peter Manev <petermanev at gmail.com> wrote:
>
>
> > On 19 Jun 2018, at 09:52, C. L. Martinez <carlopmart at gmail.com> wrote:
> >
> > Hi all,
> >
> > I have problems with Suricata 4.1-beta1 and bpf filters. As an example:
> >
> > (ip and (src host (192.168.5.1 or 192.168.5.30 or 192.168.5.31 or
> 192.168.5 250 or 192.168.5 251 or 192.168.5.252 or 192.168.5.253 or
> 192.168.5.250 or 192.168.5.251 or 192.168.5.252 or 192.168.5.253) and
> > (tcp dst port (22 or 25 or 80 or 443 or 445 or 8009 or 8080 or
> 8081 or 8082 or 8083 or 8084 or 8085 or 8086 or 8087 or 8088 or 8139 or
> 9443))) and
> > not host ( 192.168.6.35 or 192.168.6.36))
> >
> > This filter works without problems in tcpdump, but suricata doesn't
> process it ... Suricata command line is:
> >
> > suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
> --pfring=eno2 -vvv -k none -F /etc/suricata/filter_policy.conf
>
>
> Any warnings/errs in the start command output ?
>
> >
> > Any idea?
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180619/e42dc3fb/attachment.html>
More information about the Oisf-users
mailing list