forum.suricata.io
Open in
urlscan Pro
2602:fd3f:0:ff06::111
Public Scan
URL:
https://forum.suricata.io/t/suricata-running-on-a-test-host-detected-few-alerts-while-there-was-no-traffic-on-listening-po...
Submission: On October 24 via manual from US — Scanned from DE
Submission: On October 24 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /login
<form id="hidden-login-form" method="post" action="/login" style="display: none;">
<input name="username" type="text" id="signin_username">
<input name="password" type="password" id="signin_password">
<input name="redirect" type="hidden">
<input type="submit" id="signin-button" value="Log In">
</form>Text Content
Suricata SURICATA RUNNING ON A TEST HOST DETECTED FEW ALERTS WHILE THERE WAS NO TRAFFIC ON LISTENING PORT Help arcot January 6, 2022, 1:22pm #1 Hello all, The $subject says it all, basically. I’ve an instance of Suricata running on a testing host. Suricata is configured to listen an interface (af-packet) which is directly connected to another host that we use when we want to inject testing traffic via tcpreplay. I’ve noticed that when we were not testing, detect.alert stat was rising: Date: 1/5/2022 -- 10:28:28 (uptime: 0d, 18h 59m 58s) -------------------------------- capture.kernel_drops: 130 [+ 0] detect.alert: 12235 [+ 2] Date: 1/5/2022 -- 10:28:36 (uptime: 0d, 19h 00m 06s) -------------------------------- capture.kernel_drops: 130 [+ 0] detect.alert: 12236 [+ 1] I had a look at the counters (listing only the one that have changed between samples): Counter 10:28:20 10:28:28 10:28:36 capture.kernel_packets 19625204 19625204 19625204 detect.alert 12233 12235 12236 app_layer.flow.tls 17361 17403 17423 flow_mgr.est_pruned 23917 24314 24524 flow.spare 10061 10048 10024 flow_mgr.flows_checked 170 117 86 flow_mgr.flows_timeout 117 78 47 flow_mgr.flows_timeout_inuse 56 30 23 flow_mgr.flows_removed 61 48 24 flow_mgr.rows_skipped 65311 65387 65423 flow_mgr.rows_empty 65 36 29 tcp.memuse 1450080 1356080 1281840 tcp.reassembly_memuse 21486508 19303540 17565292 http.memuse 687984 507462 506345 flow.memuse 8512424 8400576 8313000 These are the alerts picked - From eve.json "2022-01-05T10:28:22.000180+0000 | 1:2033055:1 | ET JA3 HASH - Possible Rclone Client Response (Mega Storage) | Potentially Bad Traffic | 1xx.xxx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy" "2022-01-05T10:28:26.000448+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy" "2022-01-05T10:28:28.000468+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy" "2022-01-05T10:28:36.000337+0000 | 1:2027671:5 | ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound | Potential Corporate Privacy Violation | xxx.x.x.x:xxx -> 10.xx.xx.xx:yyyyy" "2022-01-05T10:30:42.000296+0000 | 1:2028777:2 | ET JA3 Hash - [Abuse.ch] Possible Adware | Unknown Traffic | 1x.xxx.xxx.xxx:yyyyy -> 1xx.xxx.xxx.xxx:443" But I was not able to figure out why this is happening, hence asking here. Any hint is appreciated. Thanks! Jeff_Lucovsky (Jeff Lucovsky) January 7, 2022, 1:03pm #2 You seem to be asking how you can get more context for the alerts that are generated. If so, there are a few ways Logging – Suricata has extensive logging capabilities about the network packets that it inspects. These are controlled in the Suricata configuration file – See the outputs section and then go to the types subsection within it. There, you’ll see alert, anomaly, and application layer protocols and such – enabled: yes is the default for almost all of them. Alerts – alerts can contain additional contextual information – in the output.types section see alert and enable some of the payload/packet fields to include portions of the network stream. 1 Like * Home * Categories * FAQ/Guidelines * Terms of Service * Privacy Policy Powered by Discourse, best viewed with JavaScript enabled Skip to main content Sign UpLog In * * SURICATA RUNNING ON A TEST HOST DETECTED FEW ALERTS WHILE THERE WAS NO TRAFFIC ON LISTENING PORT Help You have selected 0 posts. select all cancel selecting Jan 6 1 / 2 Jan 6 Jan 7 arcot Jan 6 Hello all, The $subject says it all, basically. I’ve an instance of Suricata running on a testing host. Suricata is configured to listen an interface (af-packet) which is directly connected to another host that we use when we want to inject testing traffic via tcpreplay. I’ve noticed that when we were not testing, detect.alert stat was rising: Date: 1/5/2022 -- 10:28:28 (uptime: 0d, 18h 59m 58s) -------------------------------- capture.kernel_drops: 130 [+ 0] detect.alert: 12235 [+ 2] Date: 1/5/2022 -- 10:28:36 (uptime: 0d, 19h 00m 06s) -------------------------------- capture.kernel_drops: 130 [+ 0] detect.alert: 12236 [+ 1] I had a look at the counters (listing only the one that have changed between samples): Counter 10:28:20 10:28:28 10:28:36 capture.kernel_packets 19625204 19625204 19625204 detect.alert 12233 12235 12236 app_layer.flow.tls 17361 17403 17423 flow_mgr.est_pruned 23917 24314 24524 flow.spare 10061 10048 10024 flow_mgr.flows_checked 170 117 86 flow_mgr.flows_timeout 117 78 47 flow_mgr.flows_timeout_inuse 56 30 23 flow_mgr.flows_removed 61 48 24 flow_mgr.rows_skipped 65311 65387 65423 flow_mgr.rows_empty 65 36 29 tcp.memuse 1450080 1356080 1281840 tcp.reassembly_memuse 21486508 19303540 17565292 http.memuse 687984 507462 506345 flow.memuse 8512424 8400576 8313000 These are the alerts picked - From eve.json "2022-01-05T10:28:22.000180+0000 | 1:2033055:1 | ET JA3 HASH - Possible Rclone Client Response (Mega Storage) | Potentially Bad Traffic | 1xx.xxx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy" "2022-01-05T10:28:26.000448+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy" "2022-01-05T10:28:28.000468+0000 | 1:2031231:1 | ET INFO Observed ZeroSSL SSL/TLS Certificate | Potentially Bad Traffic | 2xx.xx.xxx.xxx:443 -> 1x.xxx.xxx.xxx:yyyyy" "2022-01-05T10:28:36.000337+0000 | 1:2027671:5 | ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound | Potential Corporate Privacy Violation | xxx.x.x.x:xxx -> 10.xx.xx.xx:yyyyy" "2022-01-05T10:30:42.000296+0000 | 1:2028777:2 | ET JA3 Hash - [Abuse.ch] Possible Adware | Unknown Traffic | 1x.xxx.xxx.xxx:yyyyy -> 1xx.xxx.xxx.xxx:443" But I was not able to figure out why this is happening, hence asking here. Any hint is appreciated. Thanks! * CREATED Jan 6 * LAST REPLY Jan 7 * 1 REPLY * 562 VIEWS * 2 USERS * 1 LIKE Jeff LucovskySuricata Team Member Jan 7 You seem to be asking how you can get more context for the alerts that are generated. If so, there are a few ways Logging – Suricata has extensive logging capabilities about the network packets that it inspects. These are controlled in the Suricata configuration file – See the outputs section and then go to the types subsection within it. There, you’ll see alert, anomaly, and application layer protocols and such – enabled: yes is the default for almost all of them. Alerts – alerts can contain additional contextual information – in the output.types section see alert and enable some of the payload/packet fields to include portions of the network stream. 1 Reply SUGGESTED TOPICS Topic Replies Views Activity FPC when a specific alert is triggered Help pcaps 2 229 Dec '21 Using suricata as IDS for traffic from various networks via ERSPAN Help 5 630 Nov '21 Error trying to use suricata as IPS on Windows Help 2 162 Jan 20 Suricata can’t parse http packet Help 2 223 Jan 24 Rule tuning and management - Exclusions and false positives Help 2 249 Feb 4 WANT TO READ MORE? BROWSE OTHER TOPICS IN HELP OR VIEW LATEST TOPICS. Share Invalid date Invalid date