Suricata Drop Log

Started by nines, February 22, 2018, 09:48:36 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 22, 2018, 09:48:36 PM
I'm currently working an implementing ELK stack as centralized logging solution. Unfortunately not all drop messages are beeing sent to logstash.
I tried to search the drop messages in /var/log/suricata.log and in /var/log/syslog but there are only the rules I can already see in logstash ...
The reason I know there are more is that the gui shows a bunch of more drops in the same time period. How can this be possible? Where can I find them and what (obviously different) format is used to send them to a syslog server?

Thanks for clarification
André
February 25, 2018, 07:23:28 PM #1
I can concretize the behaviour a bit. All IPS drops/alerts are in /var/log/suricata/eve.json as expected, however this is not the log nor the content beeing passed to syslog.
The logs beeing passed to syslog obviously are /var/log/suricata.log and /var/log/syslog (I'm not quiet sure if both).

Can someone confirm this and explain the reason please
February 27, 2018, 08:35:38 PM #2
Incidentially, there is a working syslog + drop log for 18.1.3's development version, but this won't merge until 18.1.4. Syslog was a bit on the weak side due to all the eve log handling.


Cheers,
Franco
March 03, 2018, 12:12:03 PM #3
thank you so much for clarifying this to me. I've running a vm and could easily test the dev version.
Is it (and how) possible to savely switch to dev and back if needed?
March 05, 2018, 08:20:16 AM #4
Yep, it's possible to move to the dev version from the GUI under System: Firmware: Settings and a save + update. The code will be included there once 18.1.3 is out.

But it's the development version after all. Proceed with the correct expectations...

If you want to try it, go to the Log File and clear it once. Worst case it also requires a service restart.


Cheers,
Franco
March 05, 2018, 08:37:33 PM #5
surprisingly (at least for me) 18.1.3. was released today. I can't find any changes regarding syslog and ips in the changelog so I asume its not fixed as of now?
March 06, 2018, 07:47:12 AM #6
What I said was:

1. Update to 18.1.3.
2. Go to System: Firmware: Settings and select "Development". Hit save and update.
3. Go to Services: Intrusion Detection: Log File. Clear the log file.
4. Go to Services: Intrusion Detection: Administration. Enable Syslog if not enabled, hit save.
5. Drops should now be logged in the syslog file.


Cheers,
Franco
March 06, 2018, 01:11:31 PM #7
did exactly what you describe but that unfortunately didnt resolve the issue. Behaviour is exactly the same, the events from the gui alert tab are 1:1 like the eve.json file but syslog and suricata.log is missing many entries.
March 06, 2018, 02:20:05 PM #8
Drops were not shown in syslog previously. Can you clarify "missing many entries" please?


Cheers,
Franco
March 06, 2018, 02:25:37 PM #9
of course - see the timestamps in comparison

eve.json

Code Select
{"timestamp":"2018-03-06T12:07:40.571052+0100","flow_id":28971542295690,"in_iface":"vmx0","event_type":"drop","src_ip":"192.168.254.250","src_port":57828,"dest_ip":"13.107.4.50","dest_port":80,"proto":"TCP","drop"
:{"len":305,"tos":2,"ttl":127,"ipid":20877,"tcpseq":1321765378,"tcpack":3104282439,"tcpwin":8212,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blo
cked","gid":1,"signature_id":2020573,"rev":2,"signature":"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-03-06T12:07:40.841859+0100","flow_id":786608068284868,"in_iface":"vmx1+","event_type":"drop","src_ip":"192.168.200.253","src_port":45951,"dest_ip":"13.107.4.50","dest_port":80,"proto":"TCP","dro
p":{"len":383,"tos":0,"ttl":64,"ipid":0,"tcpseq":3535207936,"tcpack":641069320,"tcpwin":517,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked"
,"gid":1,"signature_id":2020573,"rev":2,"signature":"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-03-06T12:07:41.274817+0100","flow_id":28971542295690,"in_iface":"vmx0","event_type":"drop","src_ip":"192.168.254.250","src_port":57828,"dest_ip":"13.107.4.50","dest_port":80,"proto":"TCP","drop"
:{"len":356,"tos":2,"ttl":127,"ipid":20879,"tcpseq":1321765643,"tcpack":3104283110,"tcpwin":8209,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blo
cked","gid":1,"signature_id":2020573,"rev":2,"signature":"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-03-06T12:07:41.295349+0100","flow_id":786608068284868,"in_iface":"vmx1+","event_type":"drop","src_ip":"192.168.200.253","src_port":45951,"dest_ip":"13.107.4.50","dest_port":80,"proto":"TCP","dro
p":
{"len":434,"tos":0,"ttl":64,"ipid":0,"tcpseq":3535208267,"tcpack":641069863,"tcpwin":517,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked"
,"gid":1,"signature_id":2020573,"rev":2,"signature":"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-03-06T12:18:42.785185+0100","flow_id":2400770460837,"in_iface":"vmx0+","event_type":"alert","src_ip":"87.78.182.200","src_port":80,"dest_ip":"192.168.254.6","dest_port":44013,"proto":"TCP","aler
t":{"action":"allowed","gid":1,"signature_id":2260002,"rev":1,"signature":"SURICATA Applayer Detect protocol only one direction","category":"Generic Protocol Command Decode","severity":3},"http":{"length":1448},"a
pp_proto":"http"}

suricata.log

Code Select
Mar  6 12:01:06 OPNsense suricata[2522]: [100327] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
Mar  6 12:18:42 OPNsense suricata[2522]: [1:2260002:1] SURICATA Applayer Detect protocol only one direction [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 87.78.182.200:80 -> 192.168.254.6:4
4013
March 06, 2018, 02:54:06 PM #10
Did you clear the log file? I'm seeing:

Mar 6 13:40:35   suricata[95097]: [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 23.57.24.16:443 -> 192.168.178.20:37470
Mar 6 13:40:02   suricata[95097]: [1:2210007:2] SURICATA STREAM 3way handshake SYNACK with wrong ack [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 17.252.27.246:443 -> 192.168.178.20:3538


Cheers,
Franco
March 06, 2018, 03:13:31 PM #11
Yes I did. Why do you have doubts?
To be honest I cleared it multiple times but have tested the behavior some hours ago


Gesendet von iPhone mit Tapatalk
March 06, 2018, 03:15:17 PM #12
I'm not seeing your install. I keep asking because that's the only way to make sure. :)
March 06, 2018, 03:17:04 PM #13 Last Edit: March 06, 2018, 03:31:11 PM by nines
Sorry, wasn't meant to be harsh.
What do you mean by "your install" exactly?

//edit: gui tells me
Versions OPNsense 18.7.a_146-amd64
FreeBSD 11.1-RELEASE-p6
LibreSSL 2.6.4

but uname -a says
FreeBSD OPNsense.unimatrix01.local 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6  6621d681e(stable/18.1)  amd64

is that something to worry about?


Again, appreciating your help!


Gesendet von iPhone mit Tapatalk
March 07, 2018, 05:25:41 PM #14
Looks good from the version perspective. Do you see any drops in the syslog now? If yes I'm unsure what to check for next.


Cheers,
Franco
Print
Go Up Pages1 2
User actions