[Oisf-users] Suricata Flow/Netflow Logged Protocols

Andreas Herz andi at geekosphere.org
Tue Apr 30 20:59:49 UTC 2019

Hi Eric,

can you reproduce this if you run suricata with -r foo.pcap as well?
Could you also share a pcap?
Might help to debug/narrow the issue down.

On 24/04/19 at 13:43, Eric Urban wrote:
> I enabled flow and netflow in the eve log and am trying to log ESP traffic.
> However, I am only seeing protocols TCP, UDP, ICMP, IPv6, IPv6-ICMP, and
> I ran a packet capture to confirm that there is ESP traffic hitting the
> interface.  In addition to that, I enabled a rule to capture all ESP
> traffic and this works as expected, meaning alerts are triggered for the
> traffic I expect to see.  I searched the eve log for the IPs captured in
> these alerts to see if perhaps the flow/netflow logging for ESP was falling
> under a different protocol since the alerts for this traffic has
> "proto":"IPv6-Crypt" (due to /etc/protocols have the value of 50 for both
> esp and IPv6-crypt).
> Nothing in the code that I can find in output-json-flow.c or
> output-json-netflow.c restricts the logging to only the protocols I
> mentioned above so am wondering if anyone has any suggestions or has had
> other protocols than the ones I listed above show up in flow/netflow events?
> -- 
> Eric Urban
> University Information Security | Office of Information Technology |
> it.umn.edu
> University of Minnesota | umn.edu
> eurban at umn.edu

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

Andreas Herz

More information about the Oisf-users mailing list