[Oisf-users] Suricata Flow/Netflow Logged Protocols
Eric Urban
eurban at umn.edu
Wed Apr 24 18:43:06 UTC 2019
I enabled flow and netflow in the eve log and am trying to log ESP traffic.
However, I am only seeing protocols TCP, UDP, ICMP, IPv6, IPv6-ICMP, and
SCTP.
I ran a packet capture to confirm that there is ESP traffic hitting the
interface. In addition to that, I enabled a rule to capture all ESP
traffic and this works as expected, meaning alerts are triggered for the
traffic I expect to see. I searched the eve log for the IPs captured in
these alerts to see if perhaps the flow/netflow logging for ESP was falling
under a different protocol since the alerts for this traffic has
"proto":"IPv6-Crypt" (due to /etc/protocols have the value of 50 for both
esp and IPv6-crypt).
Nothing in the code that I can find in output-json-flow.c or
output-json-netflow.c restricts the logging to only the protocols I
mentioned above so am wondering if anyone has any suggestions or has had
other protocols than the ones I listed above show up in flow/netflow events?
--
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190424/d734492b/attachment.html>
More information about the Oisf-users
mailing list