11838 – suricata: Logs nothing when things are being blocked

Bug 11838 - suricata: Logs nothing when things are being blocked

Summary: suricata: Logs nothing when things are being blocked

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	Will affect most users Major Usability
Assignee:	Stefan Schantl
QA Contact:

URL:
Keywords:

Depends on:	11981
Blocks:	SURICATA
	Show dependency tree / graph

Reported:	2018-08-28 14:17 UTC by Michael Tremer
Modified:	2019-01-30 16:20 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Tremer 2018-08-28 14:17:16 UTC

There is absolutely nothing logged when suricata starts blocking a host.

It is *crucial* for the IPS that it is clear at all times what is being filtered and why.

Comment 1 Stefan Schantl 2018-08-30 15:09:01 UTC

I've got the following output in "/var/log/suricata/fast.log" when doing a nmap scan of the host running suricata.

08/30/2018-15:06:54.713489  [Drop] [**] [1:2009582:3] ET SCAN NMAP -sS window 1024 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:53
08/30/2018-15:06:55.814801  [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:22
08/30/2018-15:06:55.916797  [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:3306
08/30/2018-15:06:56.017219  [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:3306
08/30/2018-15:07:01.131415  [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1521
08/30/2018-15:07:01.231743  [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1521
08/30/2018-15:07:02.751242  [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5432
08/30/2018-15:07:02.851348  [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:5432
08/30/2018-15:07:04.534581  [Drop] [**] [1:2002910:6] ET SCAN Potential VNC Scan 5800-5820 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5811
08/30/2018-15:07:05.757545  [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1433
08/30/2018-15:07:05.857813  [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1433
08/30/2018-15:07:07.146893  [Drop] [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5907
08/30/2018-15:07:16.018422  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:16.143989  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:16.244646  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:16.345133  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377
08/30/2018-15:07:17.549029  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
08/30/2018-15:07:17.649500  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
08/30/2018-15:07:17.799898  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
08/30/2018-15:07:17.924995  [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773

Comment 2 Michael Tremer 2018-08-30 15:12:19 UTC

My log was entirely empty.

Comment 3 Michael Tremer 2019-01-30 16:20:45 UTC

This was okay in the last image I tested, so I have no idea if we need to do anything about this...