我正在尝试使suricata在fast.log文件中的pcap上发出警报,而不是在文档中所说的那样通过网络接口发出警报,但是在fast.log中无法获得任何输出。
# suricata -V
This is Suricata version 5.0.2 RELEASE
/etc/suricata/suricata.yaml中使用默认suricata.yaml当我在离线模式下使用带有恶意流量的pcap运行suricata时,我应该在fast.log中看到输出。
我跑步:
suricata -c /etc/suricata/suricata.yaml -r malware.pcap -v
并获得:
[384] 10/4/2020 -- 00:41:49 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in USER mode
[384] 10/4/2020 -- 00:41:49 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[384] 10/4/2020 -- 00:41:54 - (detect-engine-loader.c:353) <Info> (SigLoadSignatures) -- 1 rule files processed. 20015 rules successfully loaded, 0 rules failed
[384] 10/4/2020 -- 00:41:55 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[384] 10/4/2020 -- 00:41:55 - (detect-engine-build.c:1416) <Info> (SigAddressPrepareStage1) -- 20018 signatures processed. 1153 are IP-only rules, 3900 are inspecting packet payload, 14735 inspect application layer, 103 are decoder event only
[384] 10/4/2020 -- 00:42:04 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 4 management threads initialized, engine started.
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:176) <Info> (ReceivePcapFileLoop) -- Starting file run for malware.pcap
[386] 10/4/2020 -- 00:42:04 - (util-checksum.c:89) <Info> (ChecksumAutoModeCheck) -- No packets with invalid checksum, assuming checksum offloading is NOT used
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file-helper.c:149) <Info> (PcapFileDispatch) -- pcap file malware.pcap end of file reached (pcap err code 0)
[384] 10/4/2020 -- 00:42:04 - (suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
[384] 10/4/2020 -- 00:42:04 - (suricata.c:1103) <Info> (SCPrintElapsedTime) -- time elapsed 0.130s
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:377) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 18523 packets, 3310685 bytes
[384] 10/4/2020 -- 00:42:04 - (counters.c:853) <Info> (StatsLogSummary) -- Alerts: 316
[384] 10/4/2020 -- 00:42:04 - (detect-engine-build.c:1716) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
但fast.log中没有输出
# cat /var/log/suricata/fast.log | wc -l
0
当我以常规模式运行suricata并使用tcpreplay在相同的界面上重播pcap时,会收到316条警报。
# suricata -c /etc/suricata/suricata.yaml -i eth0
# tcpreplay -t -i eth0 /root/malware.pcap
Warning in send_packets.c:send_packets() line 637:
Unable to send packet: Error with PF_PACKET send() [1]: Invalid argument (errno = 22)
Actual: 18523 packets (3310685 bytes) sent in 0.290575 seconds
Rated: 11393564.4 Bps, 91.14 Mbps, 63746.02 pps
Flows: 1520 flows, 5231.00 fps, 12589 flow packets, 5934 non-flow
Statistics for network device: eth0
Successful packets: 18522
Failed packets: 1
Truncated packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
# cat /var/log/suricata/fast.log | wc -l
316
此316与上述脱机模式发布的输出中的一行相同,但在fast.log中看不到任何内容。
发生了什么事?
好,终于找到了我的答案。由于某些原因,在脱机模式下运行Suricata时,它会将fast.log(和所有其他日志文件)输出到当前工作目录,而不是yaml的目录。我将为此向Suricata开发人员提交错误,因为我确定这不是故意的。