2.3.260: Suricata not generating Alerts on 1 FW-node #11635
Replies: 1 comment 3 replies
-
|
Does that particular sensor have a different $HOMENET than globally set? Check & compare the values from the manager node |
Beta Was this translation helpful? Give feedback.
-
|
They weren't set the same - I've adjusted it, restarted the sensor node, made no difference though :( |
Beta Was this translation helpful? Give feedback.
-
|
I can't reproduce the same thing anymore from the sensor node itself either by the way. Suricata is running fine (it says) but nothing is happening. Zeek and other logs are working just fine. tail -50 /opt/so/log/suricata/stats.log: app_layer.tx.ikev2 | Total | 0 and the last part of the /opt/so/log/suricata/suricata.log: 28/10/2023 -- 07:15:31 - - This is Suricata version 6.0.13 RELEASE running in SYSTEM mode (this was since the last reboot, no new lines were added after that). There is an 'eve-2023-10-28-07:15.json log in /nsm/suricata but it's 0 bytes, just like the ones from the past 2 days (the last log with an actual entry was the testmynids.org/uid/index.html that I fired from the sensor node) The ONE thing I haven't checked (or wasn't able to): The network segment that the node is connected to runs at 172.17.8.x/23 ... so there's a 23-bit subnet. The docker0 interface runs at 172.17.0.1/24 .. that shouldn't interfere, right ? All the other logs are processed just fine... |
Beta Was this translation helpful? Give feedback.
-
|
If you're getting zeek logs, but not suricata alerts its likely your homenet variable. Suricata isn't triggering alerts for networks outside its 'homenet'. Check out https://docs.securityonion.net/en/2.3/homenet.html?highlight=homenet#homenet and ensure that the homenet for that sensor is correctly configured |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
We're running a grid of 90+ sensor nodes. Everything seems to be in order, however, one recently added sensor node is not generating Suricata Alerts.
I do get a ton of Zeek logs (HTTP, SMB-files, DNS, the whole shabang), but 0 Suricata alerts even after waiting for a week. I can manually trigger a curl https://testmynids.org/uid/index.html on the sensor node and that will generate a Suricata Alert in the Alerts overview as well as the Dashboards. But if I trigger the same thing on a workstation within the network covered by this node, nothing happens. I do however see the connection to that domain, but no Alert is triggered.
Kind of last as to troubleshooting this. Suricata seems to work, the /nsm/suricata on the sensor creates (empty) logs but will list the manually triggered Alert when I run this from the sensor node itself. So I'd say communication and ingesting still works.
The docker logs so-suricata shows nothing particular:
26/10/2023 -- 18:32:12 - - This is Suricata version 6.0.13 RELEASE running in SYSTEM mode
26/10/2023 -- 18:32:15 - - all 2 packet processing threads, 4 management threads initialized, engine started.
(These are the only 2 lines it'll display right now).
'top' also shows suricata-main running and using some CPU (anywhere between 0.5%, and 5.0%-ish). so-status is fully green et cetera.
Since Zeek is running fine and a manually triggered alert from the sensor node works fine, it would seem Suricata is doing it's thing. Just not when it's supposed to look through the actual captured data??
Anyone have any idea on how to proceed/what to look at next ?
Beta Was this translation helpful? Give feedback.
All reactions