Suricata Drop Log

nines · March 07, 2018, 05:41:42 PM

Yes I have drops in syslog, but I have to point out that I already had drops before the update. I cant tell for sure if there are more or drops as of the version I'm running now but what I can tell for sure is that the content from eve.json and suricata.log is definetely not the same (in terms of the blocked rules beeing logged)

this is a example from eve.json not showing up in suricata.log (one of many)

{"timestamp":"2018-03-07T12:07:48.969919+0100","flow_id":610197949434437,"in_iface":"vmx0","event_type":"drop","src_ip":"192.168.254.250","src_port":49354,"dest_ip":"8.249.59.254","dest_port":80,"proto":"TCP","dro
p":{"len":287,"tos":2,"ttl":127,"ipid":17292,"tcpseq":1736993020,"tcpack":1537099686,"tcpwin":8212,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"b
locked","gid":1,"signature_id":2020573,"rev":2,"signature":"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)","category":"Potentially Bad Traffic","severity":2}}

I have no idea why some logs are beeing sent to syslog and others are not. My personal feeling is that all the rules which are finally allowed but logged are visible in suricata.log but many of the actual drop rules are not.

Do you need additional information/output/files/tests. I surely can provide it, but I'm unsure what exactly would help.

The reason this is important for me is that I'm trying to send the IPS drop log to a central logstash instance for visualization und aggregation and as you can imagine that makes only sense if the logs beeing sent are complete :)

Thanks so far!
André

trigger_hippie · March 27, 2018, 01:20:24 AM

Some events are not being pushed to syslog from eve.json. Could not find out why, but found a solution to push everything from eve.json to elasticsearch (as i see, you are using it as well).

Install filebeat on opnsense host and change filebeat.yml to point to logstash using this guide:
https://extelligenceblog.it/2017/07/11/elastic-stack-suricata-idps-and-pfsense-firewall-part-1/

Configure logstash:
beats {
type => "Suricata"
port => 5044
codec => json
}
filter {
if [type] =~ /^Suricata/ {
mutate {
add_tag => ["Suricata"]
remove_tag => ["beats_input_codec_json_applied"]
replace => {"service" => "Suricata"}
}
}
}
output {
if [type] == "Suricata" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "suricata-%{+YYYY.MM.dd}"
}
}
}

Hope it helps.
Cheers

nines · July 29, 2018, 02:42:18 PM

Quote from: trigger_hippie on March 27, 2018, 01:20:24 AM
Some events are not being pushed to syslog from eve.json. Could not find out why, but found a solution to push everything from eve.json to elasticsearch (as i see, you are using it as well).

Install filebeat on opnsense host and change filebeat.yml to point to logstash using this guide:
https://extelligenceblog.it/2017/07/11/elastic-stack-suricata-idps-and-pfsense-firewall-part-1/

Configure logstash:
beats {
type => "Suricata"
port => 5044
codec => json
}
filter {
if [type] =~ /^Suricata/ {
mutate {
add_tag => ["Suricata"]
remove_tag => ["beats_input_codec_json_applied"]
replace => {"service" => "Suricata"}
}
}
}
output {
if [type] == "Suricata" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "suricata-%{+YYYY.MM.dd}"
}
}
}

Hope it helps.
Cheers

did you manage to configure autostart on boot of filebeat?

trigger_hippie · July 30, 2018, 01:01:24 PM

No, i did not manage to configure it to start automatically...

xmichielx · October 12, 2018, 07:05:57 PM

Also created https://github.com/opnsense/core/issues/2809 for this issue not sure if it is a bug or a works as expected.

Suricata Drop Log

nines

March 07, 2018, 05:41:42 PM #15

trigger_hippie

March 27, 2018, 01:20:24 AM #16 Last Edit: March 27, 2018, 01:25:08 AM by trigger_hippie

nines

July 29, 2018, 02:42:18 PM #17

trigger_hippie

July 30, 2018, 01:01:24 PM #18

xmichielx

October 12, 2018, 07:05:57 PM #19