Bug 11838

Summary: suricata: Logs nothing when things are being blocked
Product: IPFire Reporter: Michael Tremer <michael.tremer>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Major Usability    
Priority: Will affect most users    
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on: 11981    
Bug Blocks: 11801    

Description Michael Tremer 2018-08-28 14:17:16 UTC 
There is absolutely nothing logged when suricata starts blocking a host.

It is *crucial* for the IPS that it is clear at all times what is being filtered and why.
Comment 1 Stefan Schantl 2018-08-30 15:09:01 UTC 
I've got the following output in "/var/log/suricata/fast.log" when doing a nmap scan of the host running suricata.

08/30/2018-15:06:54.713489  [Drop] [**] [1:2009582:3] ET SCAN NMAP -sS window 1024 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:53
08/30/2018-15:06:55.814801  [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:22
08/30/2018-15:06:55.916797  [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:3306
08/30/2018-15:06:56.017219  [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:3306
08/30/2018-15:07:01.131415  [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1521
08/30/2018-15:07:01.231743  [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1521
08/30/2018-15:07:02.751242  [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5432
08/30/2018-15:07:02.851348  [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:5432
08/30/2018-15:07:04.534581  [Drop] [**] [1:2002910:6] ET SCAN Potential VNC Scan 5800-5820 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5811
08/30/2018-15:07:05.757545  [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1433
08/30/2018-15:07:05.857813  [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1433
08/30/2018-15:07:07.146893  [Drop] [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5907
08/30/2018-15:07:16.018422  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:16.143989  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:16.244646  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:16.345133  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:17.549029  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
08/30/2018-15:07:17.649500  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
08/30/2018-15:07:17.799898  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
08/30/2018-15:07:17.924995  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
Comment 2 Michael Tremer 2018-08-30 15:12:19 UTC 
My log was entirely empty.
Comment 3 Michael Tremer 2019-01-30 16:20:45 UTC 
This was okay in the last image I tested, so I have no idea if we need to do anything about this...