1

我试图让 suricata 在 fast.log 文件中的 pcap 上发出警报,而不是像文档中所说的那样在网络接口上发出警报,但我无法在 fast.log 中获得任何输出。

我的设置

  • 泊坞窗图像 ubuntu:最新
  • 苏里卡塔 5.0.2 
# suricata -V
This is Suricata version 5.0.2 RELEASE
  • 在默认位置使用默认 suricata.yaml/etc/suricata/suricata.yaml
  • 使用默认规则集

我期望发生的事情

当我在离线模式下运行 suricata 时,它使用包含恶意流量的 pcap,我应该在 fast.log 中看到输出。

我跑:

suricata -c /etc/suricata/suricata.yaml -r malware.pcap -v

并得到:

[384] 10/4/2020 -- 00:41:49 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in USER mode
[384] 10/4/2020 -- 00:41:49 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[384] 10/4/2020 -- 00:41:54 - (detect-engine-loader.c:353) <Info> (SigLoadSignatures) -- 1 rule files processed. 20015 rules successfully loaded, 0 rules failed
[384] 10/4/2020 -- 00:41:55 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[384] 10/4/2020 -- 00:41:55 - (detect-engine-build.c:1416) <Info> (SigAddressPrepareStage1) -- 20018 signatures processed. 1153 are IP-only rules, 3900 are inspecting packet payload, 14735 inspect application layer, 103 are decoder event only
[384] 10/4/2020 -- 00:42:04 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 4 management threads initialized, engine started.
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:176) <Info> (ReceivePcapFileLoop) -- Starting file run for malware.pcap
[386] 10/4/2020 -- 00:42:04 - (util-checksum.c:89) <Info> (ChecksumAutoModeCheck) -- No packets with invalid checksum, assuming checksum offloading is NOT used
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file-helper.c:149) <Info> (PcapFileDispatch) -- pcap file malware.pcap end of file reached (pcap err code 0)
[384] 10/4/2020 -- 00:42:04 - (suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
[384] 10/4/2020 -- 00:42:04 - (suricata.c:1103) <Info> (SCPrintElapsedTime) -- time elapsed 0.130s
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:377) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 18523 packets, 3310685 bytes
[384] 10/4/2020 -- 00:42:04 - (counters.c:853) <Info> (StatsLogSummary) -- Alerts: 316
[384] 10/4/2020 -- 00:42:04 - (detect-engine-build.c:1716) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete

但 fast.log 中没有输出

# cat /var/log/suricata/fast.log | wc -l
0

然而

当我在常规模式下运行 suricata 并使用相同界面的 tcpreplay 重播 pcap 时,我收到 316 个警报。

# suricata -c /etc/suricata/suricata.yaml -i eth0
# tcpreplay -t -i eth0 /root/malware.pcap
Warning in send_packets.c:send_packets() line 637:
Unable to send packet: Error with PF_PACKET send() [1]: Invalid argument (errno = 22)
Actual: 18523 packets (3310685 bytes) sent in 0.290575 seconds
Rated: 11393564.4 Bps, 91.14 Mbps, 63746.02 pps
Flows: 1520 flows, 5231.00 fps, 12589 flow packets, 5934 non-flow
Statistics for network device: eth0
    Successful packets:        18522
    Failed packets:            1
    Truncated packets:         0
    Retried packets (ENOBUFS): 0
    Retried packets (EAGAIN):  0
# cat /var/log/suricata/fast.log | wc -l
316

这个 316 与上面发布的离线模式输出中的一行相同,但我在 fast.log 中看不到任何内容。

这是怎么回事?

4

2 回答 2

2

只是想补充一下答案:这不是一个错误,它是一个功能:P 它实际上是为了防止在标准日志文件夹中发生冲突,以防您在系统模式下运行 Suricata 实例。

于 2021-05-13T19:42:02.660 回答
2

好的,终于找到了我的答案。由于某种原因,在离线模式下运行 Suricata 时,它会将 fast.log(和所有其他日志文件)输出到当前工作目录,而不是来自 yaml 的目录。我将为此向 Suricata 开发人员提交一个错误,因为我确信这不是故意的。

于 2020-04-23T05:51:13.563 回答