[Oisf-users] Suricata Flow/Netflow Logged Protocols

Andreas Herz andi at geekosphere.org
Sat May 18 21:21:43 UTC 2019


Hi Eric,

that's quite interesting, could you be so nice and forge this into a
redmine issue (Bug) so it's easier to track?

Thanks

On 07/05/19 at 11:24, Eric Urban wrote:
> Hello Andreas,
> 
> I am able to reproduce this issue using pcap offline mode.  I used version
> 4.1.4 with the command "suricata -vv -c /etc/suricata/suricata.yaml
> --runmode autofp -k none --pidfile suricata.pid  -l logging/ -r
> esp_capture_filtered.pcap".  The result was that there were no flow or
> netflow entries created in eve.json, though both were enabled.  There were
> 240 alerts triggered for ESP traffic using the rule:
> alert ip any any -> any any (msg:"IP Proto 50 (ESP)"; ip_proto:50;
> classtype:non-standard-protocol; sid:10010002; rev:1;)
> 
> I found a capture online from
> https://wiki.wireshark.org/SampleCaptures#IPsec_-_ESP_Payload_Decryption_and_Authentication_Checking_Examples
> that
> worked well for my test.  I modified ipsec_esp_capture_1.tgz to remove the
> ICMP and ICMPv6 traffic as those were creating flow/netflow log entries.  I
> am attaching this modified capture for your convenience.
> 
> Thank you,
> Eric
> 
> -- 
> Eric Urban
> University Information Security | Office of Information Technology |
> it.umn.edu
> University of Minnesota | umn.edu
> eurban at umn.edu
> 
> 
> On Tue, Apr 30, 2019 at 4:00 PM Andreas Herz <andi at geekosphere.org> wrote:
> 
> > Hi Eric,
> >
> > can you reproduce this if you run suricata with -r foo.pcap as well?
> > Could you also share a pcap?
> > Might help to debug/narrow the issue down.
> >
> > On 24/04/19 at 13:43, Eric Urban wrote:
> > > I enabled flow and netflow in the eve log and am trying to log ESP
> > traffic.
> > > However, I am only seeing protocols TCP, UDP, ICMP, IPv6, IPv6-ICMP, and
> > > SCTP.
> > >
> > > I ran a packet capture to confirm that there is ESP traffic hitting the
> > > interface.  In addition to that, I enabled a rule to capture all ESP
> > > traffic and this works as expected, meaning alerts are triggered for the
> > > traffic I expect to see.  I searched the eve log for the IPs captured in
> > > these alerts to see if perhaps the flow/netflow logging for ESP was
> > falling
> > > under a different protocol since the alerts for this traffic has
> > > "proto":"IPv6-Crypt" (due to /etc/protocols have the value of 50 for both
> > > esp and IPv6-crypt).
> > >
> > > Nothing in the code that I can find in output-json-flow.c or
> > > output-json-netflow.c restricts the logging to only the protocols I
> > > mentioned above so am wondering if anyone has any suggestions or has had
> > > other protocols than the ones I listed above show up in flow/netflow
> > events?
> > >
> > >
> > >
> > > --
> > > Eric Urban
> > > University Information Security | Office of Information Technology |
> > > it.umn.edu
> > > University of Minnesota | umn.edu
> > > eurban at umn.edu
> >
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
> >
> >
> > --
> > Andreas Herz
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/



-- 
Andreas Herz


More information about the Oisf-users mailing list