[Oisf-users] Suricata Flow/Netflow Logged Protocols

Eric Urban eurban at umn.edu
Fri May 31 15:55:56 UTC 2019


Hello Andreas,

Sorry for the delay.  I finally submitted this today as
https://redmine.openinfosecfoundation.org/issues/3002.

Thank you,
Eric

On Sat, May 18, 2019 at 4:28 PM Andreas Herz <andi at geekosphere.org> wrote:

> Hi Eric,
>
> that's quite interesting, could you be so nice and forge this into a
> redmine issue (Bug) so it's easier to track?
>
> Thanks
>
> On 07/05/19 at 11:24, Eric Urban wrote:
> > Hello Andreas,
> >
> > I am able to reproduce this issue using pcap offline mode.  I used
> version
> > 4.1.4 with the command "suricata -vv -c /etc/suricata/suricata.yaml
> > --runmode autofp -k none --pidfile suricata.pid  -l logging/ -r
> > esp_capture_filtered.pcap".  The result was that there were no flow or
> > netflow entries created in eve.json, though both were enabled.  There
> were
> > 240 alerts triggered for ESP traffic using the rule:
> > alert ip any any -> any any (msg:"IP Proto 50 (ESP)"; ip_proto:50;
> > classtype:non-standard-protocol; sid:10010002; rev:1;)
> >
> > I found a capture online from
> >
> https://wiki.wireshark.org/SampleCaptures#IPsec_-_ESP_Payload_Decryption_and_Authentication_Checking_Examples
> > that
> > worked well for my test.  I modified ipsec_esp_capture_1.tgz to remove
> the
> > ICMP and ICMPv6 traffic as those were creating flow/netflow log
> entries.  I
> > am attaching this modified capture for your convenience.
> >
> > Thank you,
> > Eric
> >
> > --
> > Eric Urban
> > University Information Security | Office of Information Technology |
> > it.umn.edu
> > University of Minnesota | umn.edu
> > eurban at umn.edu
> >
> >
> > On Tue, Apr 30, 2019 at 4:00 PM Andreas Herz <andi at geekosphere.org>
> wrote:
> >
> > > Hi Eric,
> > >
> > > can you reproduce this if you run suricata with -r foo.pcap as well?
> > > Could you also share a pcap?
> > > Might help to debug/narrow the issue down.
> > >
> > > On 24/04/19 at 13:43, Eric Urban wrote:
> > > > I enabled flow and netflow in the eve log and am trying to log ESP
> > > traffic.
> > > > However, I am only seeing protocols TCP, UDP, ICMP, IPv6, IPv6-ICMP,
> and
> > > > SCTP.
> > > >
> > > > I ran a packet capture to confirm that there is ESP traffic hitting
> the
> > > > interface.  In addition to that, I enabled a rule to capture all ESP
> > > > traffic and this works as expected, meaning alerts are triggered for
> the
> > > > traffic I expect to see.  I searched the eve log for the IPs
> captured in
> > > > these alerts to see if perhaps the flow/netflow logging for ESP was
> > > falling
> > > > under a different protocol since the alerts for this traffic has
> > > > "proto":"IPv6-Crypt" (due to /etc/protocols have the value of 50 for
> both
> > > > esp and IPv6-crypt).
> > > >
> > > > Nothing in the code that I can find in output-json-flow.c or
> > > > output-json-netflow.c restricts the logging to only the protocols I
> > > > mentioned above so am wondering if anyone has any suggestions or has
> had
> > > > other protocols than the ones I listed above show up in flow/netflow
> > > events?
> > > >
> > > >
> > > >
> > > > --
> > > > Eric Urban
> > > > University Information Security | Office of Information Technology |
> > > > it.umn.edu
> > > > University of Minnesota | umn.edu
> > > > eurban at umn.edu
> > >
> > > > _______________________________________________
> > > > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> > > > Site: http://suricata-ids.org | Support:
> > > http://suricata-ids.org/support/
> > > > List:
> > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > >
> > > > Conference: https://suricon.net
> > > > Trainings: https://suricata-ids.org/training/
> > >
> > >
> > > --
> > > Andreas Herz
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
>
>
>
> --
> Andreas Herz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190531/a46def3a/attachment.html>


More information about the Oisf-users mailing list