Suricata Drop Log

[nines]

Yes I have drops in syslog, but I have to point out that I already had drops before the update. I cant tell for sure if there are more or drops as of the version I'm running now but what I can tell for sure is that the content from eve.json and suricata.log is definetely not the same (in terms of the blocked rules beeing logged)

this is a example from eve.json not showing up in suricata.log (one of many)

{"timestamp":"2018-03-07T12:07:48.969919+0100","flow_id":610197949434437,"in_iface":"vmx0","event_type":"drop","src_ip":"192.168.254.250","src_port":49354,"dest_ip":"8.249.59.254","dest_port":80,"proto":"TCP","dro
p":{"len":287,"tos":2,"ttl":127,"ipid":17292,"tcpseq":1736993020,"tcpack":1537099686,"tcpwin":8212,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"b
locked","gid":1,"signature_id":2020573,"rev":2,"signature":"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)","category":"Potentially Bad Traffic","severity":2}}

I have no idea why some logs are beeing sent to syslog and others are not. My personal feeling is that all the rules which are finally allowed but logged are visible in suricata.log but many of the actual drop rules are not.

Do you need additional information/output/files/tests. I surely can provide it, but I'm unsure what exactly would help.

The reason this is important for me is that I'm trying to send the IPS drop log to a central logstash instance for visualization und aggregation and as you can imagine that makes only sense if the logs beeing sent are complete

Thanks so far!
André

[trigger_hippie]

Some events are not being pushed to syslog from eve.json. Could not find out why, but found a solution to push everything from eve.json to elasticsearch (as i see, you are using it as well).

Install filebeat on opnsense host and change filebeat.yml to point to logstash using this guide:
https://extelligenceblog.it/2017/07/11/elastic-stack-suricata-idps-and-pfsense-firewall-part-1/


Configure logstash:
beats {
    type => "Suricata"
    port => 5044
    codec => json
  }
filter {
         if [type] =~ /^Suricata/ {
                mutate {
                  add_tag => ["Suricata"]
                  remove_tag => ["beats_input_codec_json_applied"]
                  replace => {"service" => "Suricata"}
                }
        }
}
output {
if [type] == "Suricata" {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "suricata-%{+YYYY.MM.dd}"
    }
  }
}

Hope it helps.
Cheers

[nines]

Some events are not being pushed to syslog from eve.json. Could not find out why, but found a solution to push everything from eve.json to elasticsearch (as i see, you are using it as well).

Install filebeat on opnsense host and change filebeat.yml to point to logstash using this guide:
https://extelligenceblog.it/2017/07/11/elastic-stack-suricata-idps-and-pfsense-firewall-part-1/


Configure logstash:
beats {
    type => "Suricata"
    port => 5044
    codec => json
  }
filter {
         if [type] =~ /^Suricata/ {
                mutate {
                  add_tag => ["Suricata"]
                  remove_tag => ["beats_input_codec_json_applied"]
                  replace => {"service" => "Suricata"}
                }
        }
}
output {
if [type] == "Suricata" {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "suricata-%{+YYYY.MM.dd}"
    }
  }
}

Hope it helps.
Cheers

did you manage to configure autostart on boot of filebeat?

[trigger_hippie]

No, i did not manage to configure it to start automatically...

[xmichielx]

Also created https://github.com/opnsense/core/issues/2809 for this issue not sure if it is a bug or a works as expected.