[Oisf-users] Suricata Flow/Netflow Logged Protocols

Eric Urban eurban at umn.edu
Tue May 7 16:24:51 UTC 2019


Hello Andreas,

I am able to reproduce this issue using pcap offline mode.  I used version
4.1.4 with the command "suricata -vv -c /etc/suricata/suricata.yaml
--runmode autofp -k none --pidfile suricata.pid  -l logging/ -r
esp_capture_filtered.pcap".  The result was that there were no flow or
netflow entries created in eve.json, though both were enabled.  There were
240 alerts triggered for ESP traffic using the rule:
alert ip any any -> any any (msg:"IP Proto 50 (ESP)"; ip_proto:50;
classtype:non-standard-protocol; sid:10010002; rev:1;)

I found a capture online from
https://wiki.wireshark.org/SampleCaptures#IPsec_-_ESP_Payload_Decryption_and_Authentication_Checking_Examples
that
worked well for my test.  I modified ipsec_esp_capture_1.tgz to remove the
ICMP and ICMPv6 traffic as those were creating flow/netflow log entries.  I
am attaching this modified capture for your convenience.

Thank you,
Eric

-- 
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu


On Tue, Apr 30, 2019 at 4:00 PM Andreas Herz <andi at geekosphere.org> wrote:

> Hi Eric,
>
> can you reproduce this if you run suricata with -r foo.pcap as well?
> Could you also share a pcap?
> Might help to debug/narrow the issue down.
>
> On 24/04/19 at 13:43, Eric Urban wrote:
> > I enabled flow and netflow in the eve log and am trying to log ESP
> traffic.
> > However, I am only seeing protocols TCP, UDP, ICMP, IPv6, IPv6-ICMP, and
> > SCTP.
> >
> > I ran a packet capture to confirm that there is ESP traffic hitting the
> > interface.  In addition to that, I enabled a rule to capture all ESP
> > traffic and this works as expected, meaning alerts are triggered for the
> > traffic I expect to see.  I searched the eve log for the IPs captured in
> > these alerts to see if perhaps the flow/netflow logging for ESP was
> falling
> > under a different protocol since the alerts for this traffic has
> > "proto":"IPv6-Crypt" (due to /etc/protocols have the value of 50 for both
> > esp and IPv6-crypt).
> >
> > Nothing in the code that I can find in output-json-flow.c or
> > output-json-netflow.c restricts the logging to only the protocols I
> > mentioned above so am wondering if anyone has any suggestions or has had
> > other protocols than the ones I listed above show up in flow/netflow
> events?
> >
> >
> >
> > --
> > Eric Urban
> > University Information Security | Office of Information Technology |
> > it.umn.edu
> > University of Minnesota | umn.edu
> > eurban at umn.edu
>
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190507/023f054a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: esp_capture_filtered.pcap
Type: application/octet-stream
Size: 48144 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190507/023f054a/attachment-0001.obj>


More information about the Oisf-users mailing list