Suricata no longer generating alerts #13274

technox123 · 2024-06-27T10:30:32Z

technox123
Jun 27, 2024

Version

2.4.80

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

128gb

Storage for /

300gb

Storage for /nsm

32tb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,

I upgraded yesterday to version 2.4.80 and it seems like Suricata is no longer throwing any alerts anymore (it is worth noting I also purged old docker containers as well), I'm not too sure what has happened.

At first, I tried rebooting the whole distributed setup I have (Search, Manager, Forward, and Receiver). This caused Kibana & Elastic to error 404 on me, after waiting for around ~30 minutes, it still was erroring with a 404 so I gave the manager a quick reboot and it came back online. However, the original problem persisted and Suricata was still not generating any alerts.

I ran sudo so-status on all the nodes and everything is okay, I also ran sudo so-checkin and sudo salt \* state.highstate and got 0 failures. sudo salt \* test.ping also comes back okay.

On the manager I had a look at sudo so-redis-count and it's always 0.

The Suricata log on the forward node can be found below:

[11 - Suricata-Main] 2024-06-27 07:38:11 Notice: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: cpu: CPUs/cores online: 24
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: suricata: Setting engine mode to IDS mode by default
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: privs: dropped the caps for main thread
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: conf: Running in live mode, activating unix socket
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: logopenfile: eve-log output device (regular) initialized: /nsm/eve-%Y-%m-%d-%H:%M.json
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: log-pcap: Using log dir /nsm/suripcap
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: log-pcap: Selected pcap-log compression method: lz4
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: log-pcap: Selected pcap-log conditional logging: all
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: log-pcap: using multi logging
[11 - Suricata-Main] 2024-06-27 07:38:11 Info: logopenfile: stats output device (regular) initialized: stats.log
[11 - Suricata-Main] 2024-06-27 07:38:13 Info: detect: 1 rule files processed. 38253 rules successfully loaded, 0 rules failed, 0
[11 - Suricata-Main] 2024-06-27 07:38:13 Info: threshold-config: Threshold config parsed: 94 rule(s) found
[11 - Suricata-Main] 2024-06-27 07:38:13 Info: detect: 38256 signatures processed. 1093 are IP-only rules, 4866 are inspecting packet payload, 32265 inspect application layer, 0 are decoder event only
[11 - Suricata-Main] 2024-06-27 07:38:16 Info: runmodes: bond0: creating 14 threads
[12 - W#01-bond0] 2024-06-27 07:38:17 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[12 - W#01-bond0] 2024-06-27 07:38:17 Notice: log-pcap: Ring buffer initialized with 1922 files.
[13 - W#02-bond0] 2024-06-27 07:38:17 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[13 - W#02-bond0] 2024-06-27 07:38:17 Notice: log-pcap: Ring buffer initialized with 2035 files.
[14 - W#03-bond0] 2024-06-27 07:38:17 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[14 - W#03-bond0] 2024-06-27 07:38:17 Notice: log-pcap: Ring buffer initialized with 1960 files.
[15 - W#04-bond0] 2024-06-27 07:38:18 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[15 - W#04-bond0] 2024-06-27 07:38:18 Notice: log-pcap: Ring buffer initialized with 2034 files.
[16 - W#05-bond0] 2024-06-27 07:38:18 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[16 - W#05-bond0] 2024-06-27 07:38:18 Notice: log-pcap: Ring buffer initialized with 2035 files.
[17 - W#06-bond0] 2024-06-27 07:38:18 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[17 - W#06-bond0] 2024-06-27 07:38:19 Notice: log-pcap: Ring buffer initialized with 2035 files.
[18 - W#07-bond0] 2024-06-27 07:38:19 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[18 - W#07-bond0] 2024-06-27 07:38:19 Notice: log-pcap: Ring buffer initialized with 2035 files.
[19 - W#08-bond0] 2024-06-27 07:38:19 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[19 - W#08-bond0] 2024-06-27 07:38:19 Notice: log-pcap: Ring buffer initialized with 2035 files.
[20 - W#09-bond0] 2024-06-27 07:38:20 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[20 - W#09-bond0] 2024-06-27 07:38:20 Notice: log-pcap: Ring buffer initialized with 2035 files.
[21 - W#10-bond0] 2024-06-27 07:38:20 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[21 - W#10-bond0] 2024-06-27 07:38:20 Notice: log-pcap: Ring buffer initialized with 2035 files.
[22 - W#11-bond0] 2024-06-27 07:38:20 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[22 - W#11-bond0] 2024-06-27 07:38:20 Notice: log-pcap: Ring buffer initialized with 2035 files.
[23 - W#12-bond0] 2024-06-27 07:38:21 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[23 - W#12-bond0] 2024-06-27 07:38:21 Notice: log-pcap: Ring buffer initialized with 2035 files.
[24 - W#13-bond0] 2024-06-27 07:38:21 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[24 - W#13-bond0] 2024-06-27 07:38:21 Notice: log-pcap: Ring buffer initialized with 2035 files.
[25 - W#14-bond0] 2024-06-27 07:38:21 Info: log-pcap: Initializing PCAP ring buffer for /nsm/suripcap/%n/so-pcap.%t.
[25 - W#14-bond0] 2024-06-27 07:38:21 Notice: log-pcap: Ring buffer initialized with 1807 files.
[11 - Suricata-Main] 2024-06-27 07:38:22 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[12 - W#01-bond0] 2024-06-27 07:38:22 Info: af-packet: bond0: using BPF '<BPF Filter here>' for all workers
[11 - Suricata-Main] 2024-06-27 07:38:26 Notice: threads: Threads created -> W: 14 FM: 1 FR: 1   Engine started.

The PCAPS are all still being generated, as you can see below by looking at the timestamps:

-rw-r--r--. 1 suricata suricata 1048542485 Jun 27 07:21 so-pcap.1719472630.lz4
-rw-r--r--. 1 suricata suricata 1048549056 Jun 27 07:26 so-pcap.1719472918.lz4
-rw-r--r--. 1 suricata suricata 1048556108 Jun 27 07:31 so-pcap.1719473181.lz4
-rw-r--r--. 1 suricata suricata  444604416 Jun 27 07:33 so-pcap.1719473511.lz4
-rw-r--r--. 1 suricata suricata 1048546644 Jun 27 07:48 so-pcap.1719473901.lz4
-rw-r--r--. 1 suricata suricata 1048573140 Jun 27 07:59 so-pcap.1719474507.lz4
-rw-r--r--. 1 suricata suricata 1048573391 Jun 27 08:07 so-pcap.1719475140.lz4
-rw-r--r--. 1 suricata suricata 1048546728 Jun 27 08:13 so-pcap.1719475627.lz4
-rw-r--r--. 1 suricata suricata 1048552496 Jun 27 08:19 so-pcap.1719476009.lz4
-rw-r--r--. 1 suricata suricata 1048574447 Jun 27 08:27 so-pcap.1719476372.lz4
-rw-r--r--. 1 suricata suricata 1048574102 Jun 27 08:38 so-pcap.1719476845.lz4
-rw-r--r--. 1 suricata suricata 1048573787 Jun 27 08:39 so-pcap.1719477532.lz4
-rw-r--r--. 1 suricata suricata 1048571831 Jun 27 08:40 so-pcap.1719477582.lz4
-rw-r--r--. 1 suricata suricata 1048565225 Jun 27 08:45 so-pcap.1719477644.lz4
-rw-r--r--. 1 suricata suricata 1048556630 Jun 27 08:54 so-pcap.1719477949.lz4
-rw-r--r--. 1 suricata suricata 1048559843 Jun 27 09:00 so-pcap.1719478488.lz4
-rw-r--r--. 1 suricata suricata 1048573889 Jun 27 09:02 so-pcap.1719478851.lz4
-rw-r--r--. 1 suricata suricata 1048574223 Jun 27 09:04 so-pcap.1719478962.lz4
-rw-r--r--. 1 suricata suricata 1048568963 Jun 27 09:07 so-pcap.1719479067.lz4
-rw-r--r--. 1 suricata suricata 1048552690 Jun 27 09:13 so-pcap.1719479247.lz4
-rw-r--r--. 1 suricata suricata 1048574505 Jun 27 09:24 so-pcap.1719479588.lz4
-rw-r--r--. 1 suricata suricata 1048567306 Jun 27 09:28 so-pcap.1719480244.lz4
-rw-r--r--. 1 suricata suricata 1048573200 Jun 27 09:36 so-pcap.1719480539.lz4
-rw-r--r--. 1 suricata suricata 1048548058 Jun 27 09:49 so-pcap.1719480981.lz4
-rw-r--r--. 1 suricata suricata 1048566141 Jun 27 09:54 so-pcap.1719481761.lz4
-rw-r--r--. 1 suricata suricata 1048569680 Jun 27 10:05 so-pcap.1719482099.lz4
-rw-r--r--. 1 suricata suricata 1048545829 Jun 27 10:10 so-pcap.1719482727.lz4
-rw-r--r--. 1 suricata suricata  272089088 Jun 27 10:12 so-pcap.1719483057.lz4

I did however try to look for the eve.json file to see if alerts are being thrown and it may be a problem with them being sent to the manager/search node. But, I can't seem to find the file?

I checked the following directory on the forward node:
/nsm/suricata/ -> Nothing in there, only two empty folders called extracted and suripcap.
/nsm/ -> Nothing in this directory as well, only your usual folders are here.
/opt/so/ -> Nothing in any of the folders here as well.
/opt/so/log/suricata -> No eve.json in here as well only suricata.log and stats.log

Looking at the Suricata log file, this line is interesting: [11 - Suricata-Main] 2024-06-27 07:38:11 Info: logopenfile: eve-log output device (regular) initialized: /nsm/eve-%Y-%m-%d-%H:%M.json

Like I said above though, I had a look at the /nsm/ directory and there is no eve.json in there.

I even had a look at the output of the sensor_clean.log and it's just absolutely getting hammered with the following lines:

Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/suricata
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/pcapout
Thu Jun 27 10:19:08 AM UTC 2024 - No old Zeek logs available to clean up in /nsm/zeek/logs/
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/strelka/processed
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/suricata
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/pcapout
Thu Jun 27 10:19:08 AM UTC 2024 - No old Zeek logs available to clean up in /nsm/zeek/logs/
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/strelka/processed
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/suricata
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/pcapout
Thu Jun 27 10:19:08 AM UTC 2024 - No old Zeek logs available to clean up in /nsm/zeek/logs/
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/strelka/processed
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/suricata
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/pcapout
Thu Jun 27 10:19:08 AM UTC 2024 - No old Zeek logs available to clean up in /nsm/zeek/logs/
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/strelka/processed
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/suricata
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/pcapout
Thu Jun 27 10:19:08 AM UTC 2024 - No old Zeek logs available to clean up in /nsm/zeek/logs/
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/strelka/processed
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/suricata
Thu Jun 27 10:19:08 AM UTC 2024 - No old files available to clean up in /nsm/pcapout

It seems like there is no timer on this script that runs so it's just around 800k+ lines like that. So I done this command: cat sensor_clean.log | grep 'eve' and I got the following output:

Thu Jun 27 12:01:31 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-00:01.json
Thu Jun 27 01:01:34 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-01:01.json
Thu Jun 27 02:01:34 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-02:01.json
Thu Jun 27 03:01:34 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-03:01.json
Thu Jun 27 04:01:34 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-04:01.json
Thu Jun 27 05:01:34 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-05:01.json
Thu Jun 27 06:01:34 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-06:01.json
Thu Jun 27 07:01:35 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-07:01.json
Thu Jun 27 07:06:40 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-07:06.json
Thu Jun 27 07:38:11 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-07:38.json
Thu Jun 27 08:01:07 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-08:01.json
Thu Jun 27 09:01:07 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-09:01.json
Thu Jun 27 10:01:24 AM UTC 2024 - Removing file: /nsm/suricata/eve-2024-06-27-10:01.json

Where is it finding this file?? Is this file being removed as soon as it's created? Hence why I'm getting no alerts? But wouldn't Suricata then throw in the log that eve.json doesn't exist? Am I missing something?

As you can see, any help would be appreciated!

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by dougburks

Jun 28, 2024

It seems that Suricata is writing alerts to disk but the sensor clean script is deleting those files because it thinks you're running out of disk space.

I would try lowering suricata maxsize to something smaller like 25000. Then run sudo so-checkin on the forward node and verify that it picks up the new setting. Suricata should then purge old pcap until /nsm/suripcap is down to 25T. Then see if the sensor clean script stops deleting the suricata eve log.

Also, it looks like your old steno pcap has aged out so you should be able to switch from TRANSITION to SURICATA to stop running steno altogether. This won't necessarily help your disk space issue but it will lower CPU and RAM usage on th…

View full answer

dougburks · 2024-06-28T10:51:14Z

dougburks
Jun 28, 2024
Maintainer

It appears that you've changed from the default of stenographer pcap to suricata pcap. Please note that suricata pcap is still considered BETA:
https://docs.securityonion.net/en/2.4/suricata.html#pcap

When you changed to suricata pcap, which config option did you set under Administration --> Configuration --> global --> pcapengine (SURICATA or TRANSITION)?

What did you set for suricata pcap maxsize under Administration --> Configuration --> suricata --> pcap --> maxsize?

What is the output of the following?

sudo du --max-depth=1 /nsm -h

3 replies

technox123 Jun 28, 2024
Author

Hi,

Yep, it's changed to TRANSITION at the moment in Admin -> Config -> Global -> pcapengine

I changed to this a while ago and it was working fine until well... now.

Suricata pcap Max Size is set to 28000

Output of this command sudo du --max-depth=1 /nsm -h is the following:

6.4G    /nsm/docker-registry
2.6G    /nsm/repo
1.4G    /nsm/elastic-fleet
4.0K    /nsm/pcap
0       /nsm/import
0       /nsm/pcapout
4.0K    /nsm/pcaptmp
60K     /nsm/pcapindex
8.0K    /nsm/suricata
22G     /nsm/zeek
670M    /nsm/strelka
27T     /nsm/suripcap
27T     /nsm

According to the grid view, there's around 1.7tb of free space in the /nsm folder.

Do you think it's the pcaps that are causing the problem of Suricata not being able to throw alerts?

dougburks Jun 28, 2024
Maintainer

It seems that Suricata is writing alerts to disk but the sensor clean script is deleting those files because it thinks you're running out of disk space.

I would try lowering suricata maxsize to something smaller like 25000. Then run sudo so-checkin on the forward node and verify that it picks up the new setting. Suricata should then purge old pcap until /nsm/suripcap is down to 25T. Then see if the sensor clean script stops deleting the suricata eve log.

Also, it looks like your old steno pcap has aged out so you should be able to switch from TRANSITION to SURICATA to stop running steno altogether. This won't necessarily help your disk space issue but it will lower CPU and RAM usage on the sensor.

Answer selected by technox123

technox123 Jul 2, 2024
Author

Hi Doug, thanks for that.

I changed it to 25000 and once it purged the PCAP's to under 25000 the alerts started to show up again.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Suricata no longer generating alerts #13274

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Suricata no longer generating alerts #13274

Uh oh!

technox123 Jun 27, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 3 replies

Uh oh!

dougburks Jun 28, 2024 Maintainer

Uh oh!

technox123 Jun 28, 2024 Author

Uh oh!

dougburks Jun 28, 2024 Maintainer

Uh oh!

technox123 Jul 2, 2024 Author

technox123
Jun 27, 2024

Replies: 1 comment 3 replies

dougburks
Jun 28, 2024
Maintainer

technox123 Jun 28, 2024
Author

dougburks Jun 28, 2024
Maintainer

technox123 Jul 2, 2024
Author