[Oisf-users] Question about src_port and dest_port in eve log

"강지환" kangjh0101 at pizzlysoft.com
Fri Sep 6 06:15:29 UTC 2019 

Hi, My name is Chi Hwan Kang.  I am trying to build an IPS using Suricata. While testing detection, I have faced a very strange thing which is that both src_port and dest_port are 0.  My test environment is     * Suricata is installed on a CentOS machine. It is installed using the commands in suricata_installation.txt            [root at localhost ~]# uname -a      Linux localhost.localdomain 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux       ethtool -k output is attached.       suricata.yaml is attached.       Suricata started by "suricata -c suricata.yaml -S suricata.rules --af-packet".      suricata.rules is attached.      * The packets are sent from another machine to the Suricata machine using tcpreplay.       It is an IP fragmented UDP flow.      * The rules in suricata.rules are from stream-events.rules and decoder-events.rules      As shown in detection_alert.json, all of the detection events are showing src_port:0 and dest_port:0.Can you please help me out to find out the cause of this?Thank you very muchChi Kang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/4661fabe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata_installation.txt
Type: application/octet-stream
Size: 2187 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/4661fabe/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ethtool.txt
Type: application/octet-stream
Size: 1504 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/4661fabe/attachment-0007.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 66227 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/4661fabe/attachment-0008.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IP_Frag_Packets_1_flow.pcap
Type: application/octet-stream
Size: 528344 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/4661fabe/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.rules
Type: application/octet-stream
Size: 27929 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/4661fabe/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: detection_alert.json
Type: application/octet-stream
Size: 2240512 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190906/4661fabe/attachment-0011.obj>

More information about the Oisf-users mailing list