Import Malware-PCAP, but see no suricata alert #13801

simonkey7 · 2024-10-10T15:58:07Z

simonkey7
Oct 10, 2024

Version

2.4.100

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Eval

Location

airgap

Hardware Specs

Meets minimum requirements

CPU

8

RAM

10GB

Storage for /

200

Storage for /nsm

200

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I want to import the PCAPs, as described in https://blog.securityonion.net/2021/07/quick-malware-analysis-malware-traffic_29.html

I import the PCAP via:

The importing is successful. I can see the connections in the dashboard when I filter for the specific time range.

But in the alert tab, there is no suricata alert.

I saw a similar problem: #2489

Doing the described steps with another malware pcap was also not successful.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

nebra-status · 2024-10-11T08:06:33Z

nebra-status
Oct 11, 2024

Probably because the PCAP with the malware has another $HOME_NET than configured in your SO ?

1 reply

simonkey7 Oct 17, 2024
Author

good point, but $HOME_NET includes 10.0.0.0/8. Should do it for the pcap.

I checked the console.log for an imported pcap:

i: suricata: This is Suricata version 7.0.6 RELEASE running in USER mode
W: runmodes: output module "stats": setup failed
W: counters: stats are enabled but no loggers are active
E: logopenfile: Error opening file: "./stats.log": Permission denied
W: detect-flowbits: flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2002172 and 1 other sigs
W: detect-flowbits: flowbit 'ET.GenericPhish_Excel' is checked but not set. Checked in 2023046 and 0 other sigs
W: detect-flowbits: flowbit 'realplayer.playlist' is checked but not set. Checked in 2102438 and 2 other sigs
W: detect-flowbits: flowbit 'ET.GenericPhish_Adobe' is checked but not set. Checked in 2023048 and 0 other sigs
W: log-pcap: Failed to open directory /nsm/suripcap/1: Not a directory
i: threads: Threads created -> W: 1 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: pcap: read 1 file, 3067 packets, 1261815 bytes

dougburks · 2024-10-18T20:47:29Z

dougburks
Oct 18, 2024
Maintainer

Have you tried following the Troubleshooting Alerts section of the documentation?
https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts

If that doesn't help, please share the outcome of each step so that we can assist you further.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Import Malware-PCAP, but see no suricata alert #13801

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Import Malware-PCAP, but see no suricata alert #13801

Uh oh!

simonkey7 Oct 10, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 1 reply

Uh oh!

nebra-status Oct 11, 2024

Uh oh!

simonkey7 Oct 17, 2024 Author

Uh oh!

dougburks Oct 18, 2024 Maintainer

simonkey7
Oct 10, 2024

Replies: 2 comments 1 reply

nebra-status
Oct 11, 2024

simonkey7 Oct 17, 2024
Author

dougburks
Oct 18, 2024
Maintainer