Suricata: Not logging alerts in Tab alerts

[ruggerio]

Hi,
Since i updated to the beta, i do not see any entry in the alert-tab of suricata. Is it just logging drops/alerts there? before, everything has been logging (allowed)

[ruggerio]

OK, i switched back to 18.7.7, downloaded the rules and alerts came back. Switched again to Beta, downloaded the rules and no further alerts were seen in the log.

[franco]

Hi,

18.7.7-devel is using Suricata 4.1.0, not 4.0.6 -- we'll look into it before moving to 4.1 for the release.


Cheers,
Franco

[ruggerio]

ok - what i can say so far is, that  since changing to 19.1 beta, eve.json and rules.json aren't filled anymore. The last entry is from my 18.7.7. stable environement.

[GDixon]

Geesh, I'm glad I found this.

I'm currently on

Code Select Expand


OPNsense 19.1.b_306-amd64
FreeBSD 11.2-RELEASE-p4-HBSD
OpenSSL 1.0.2q 20 Nov 2018


I thought it was just me and have been reconfiguring and playing around trying to see why I had no alerts :)
Seems I will be waiting for the next major updates.

[ruggerio]

i had to reset my opnsense and my backups crashed. Therefore, i had to reinstall my machine.

I updated immediately to 19.1b... and it worked! I hat logentries from suricata. It seems, that the "fresh" install solved the problem.

If the problem comes back, i'll inform.

[ruggerio]

As of the last update, again no more entries in the alarmlist of suricata.

[franco]

Err, are you using /var MFS option? In that case reboot == no more logs.


Cheers,
Franco

[ruggerio]

Hi Franco,

Nope, system/verschiedenes/Disk für /Var is not marked

[ruggerio]

btw. i installed today an extension for squid, since today i get logs again (no reboot).

[ruggerio]

Might be, that the cron-job for reloading the rules causes the problem?

Dec 30 00:03:05    suricata[11057]: [100111] <Notice> -- rule reload complete
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016113 and 32 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2014750 and 5 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2018103 and 6 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 11 other sigs
Dec 30 00:02:05    suricata[11057]: [100111] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5 other sigs


Since Dec,30, i have no more logs until today.

[franco]

Maybe it's just log rotation?

# ls -lah /var/log/suricata/

"Save logs" is set to 4 by default. But maybe it only ever reads the first in the GUI so when rotation kicks in the eve.json is cleared?


Cheers,
Franco

[ruggerio]

strangerwise, the logs rotate in 7-days-intervals. But according to the size of the latests files, eve.json gets cleared.