我试图让 suricata 在 fast.log 文件中的 pcap 上发出警报,而不是像文档中所说的那样在网络接口上发出警报,但我无法在 fast.log 中获得任何输出。
我的设置
- 泊坞窗图像 ubuntu:最新
- 苏里卡塔 5.0.2
# suricata -V
This is Suricata version 5.0.2 RELEASE
- 在默认位置使用默认 suricata.yaml
/etc/suricata/suricata.yaml
- 使用默认规则集
我期望发生的事情
当我在离线模式下运行 suricata 时,它使用包含恶意流量的 pcap,我应该在 fast.log 中看到输出。
我跑:
suricata -c /etc/suricata/suricata.yaml -r malware.pcap -v
并得到:
[384] 10/4/2020 -- 00:41:49 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in USER mode
[384] 10/4/2020 -- 00:41:49 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[384] 10/4/2020 -- 00:41:54 - (detect-engine-loader.c:353) <Info> (SigLoadSignatures) -- 1 rule files processed. 20015 rules successfully loaded, 0 rules failed
[384] 10/4/2020 -- 00:41:55 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[384] 10/4/2020 -- 00:41:55 - (detect-engine-build.c:1416) <Info> (SigAddressPrepareStage1) -- 20018 signatures processed. 1153 are IP-only rules, 3900 are inspecting packet payload, 14735 inspect application layer, 103 are decoder event only
[384] 10/4/2020 -- 00:42:04 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 4 management threads initialized, engine started.
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:176) <Info> (ReceivePcapFileLoop) -- Starting file run for malware.pcap
[386] 10/4/2020 -- 00:42:04 - (util-checksum.c:89) <Info> (ChecksumAutoModeCheck) -- No packets with invalid checksum, assuming checksum offloading is NOT used
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file-helper.c:149) <Info> (PcapFileDispatch) -- pcap file malware.pcap end of file reached (pcap err code 0)
[384] 10/4/2020 -- 00:42:04 - (suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[384] 10/4/2020 -- 00:42:04 - (suricata.c:1103) <Info> (SCPrintElapsedTime) -- time elapsed 0.130s
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:377) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 18523 packets, 3310685 bytes
[384] 10/4/2020 -- 00:42:04 - (counters.c:853) <Info> (StatsLogSummary) -- Alerts: 316
[384] 10/4/2020 -- 00:42:04 - (detect-engine-build.c:1716) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
但 fast.log 中没有输出
# cat /var/log/suricata/fast.log | wc -l
0
然而
当我在常规模式下运行 suricata 并使用相同界面的 tcpreplay 重播 pcap 时,我收到 316 个警报。
# suricata -c /etc/suricata/suricata.yaml -i eth0
# tcpreplay -t -i eth0 /root/malware.pcap
Warning in send_packets.c:send_packets() line 637:
Unable to send packet: Error with PF_PACKET send() [1]: Invalid argument (errno = 22)
Actual: 18523 packets (3310685 bytes) sent in 0.290575 seconds
Rated: 11393564.4 Bps, 91.14 Mbps, 63746.02 pps
Flows: 1520 flows, 5231.00 fps, 12589 flow packets, 5934 non-flow
Statistics for network device: eth0
Successful packets: 18522
Failed packets: 1
Truncated packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
# cat /var/log/suricata/fast.log | wc -l
316
这个 316 与上面发布的离线模式输出中的一行相同,但我在 fast.log 中看不到任何内容。
这是怎么回事?