Summary: | suricata: Logs nothing when things are being blocked | ||
---|---|---|---|
Product: | IPFire | Reporter: | Michael Tremer <michael.tremer> |
Component: | --- | Assignee: | Stefan Schantl <stefan.schantl> |
Status: | CLOSED FIXED | QA Contact: | |
Severity: | Major Usability | ||
Priority: | Will affect most users | ||
Version: | 2 | ||
Hardware: | unspecified | ||
OS: | Unspecified | ||
Bug Depends on: | 11981 | ||
Bug Blocks: | 11801 |
Description
Michael Tremer
2018-08-28 14:17:16 UTC
I've got the following output in "/var/log/suricata/fast.log" when doing a nmap scan of the host running suricata. 08/30/2018-15:06:54.713489 [Drop] [**] [1:2009582:3] ET SCAN NMAP -sS window 1024 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:53 08/30/2018-15:06:55.814801 [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:22 08/30/2018-15:06:55.916797 [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:3306 08/30/2018-15:06:56.017219 [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:3306 08/30/2018-15:07:01.131415 [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1521 08/30/2018-15:07:01.231743 [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1521 08/30/2018-15:07:02.751242 [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5432 08/30/2018-15:07:02.851348 [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:5432 08/30/2018-15:07:04.534581 [Drop] [**] [1:2002910:6] ET SCAN Potential VNC Scan 5800-5820 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5811 08/30/2018-15:07:05.757545 [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1433 08/30/2018-15:07:05.857813 [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1433 08/30/2018-15:07:07.146893 [Drop] [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5907 08/30/2018-15:07:16.018422 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:16.143989 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:16.244646 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:16.345133 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:17.549029 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773 08/30/2018-15:07:17.649500 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773 08/30/2018-15:07:17.799898 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773 08/30/2018-15:07:17.924995 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773 My log was entirely empty. This was okay in the last image I tested, so I have no idea if we need to do anything about this... |