malwaresuricataids

How to run Suricata on PCAP mode and get results in fast.log


I'm trying to get suricata to alert on a pcap in the fast.log file instead of a network interface as it says it does in the documentation, but I can't get any output in fast.log.

My Setup

# suricata -V
This is Suricata version 5.0.2 RELEASE

What I expect to happen

when I run suricata in offline mode it using a pcap with traffic containing malicious traffic, I should see outputs in the fast.log.

I run:

suricata -c /etc/suricata/suricata.yaml -r malware.pcap -v

and get:

[384] 10/4/2020 -- 00:41:49 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in USER mode
[384] 10/4/2020 -- 00:41:49 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[384] 10/4/2020 -- 00:41:49 - (util-logopenfile.c:474) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
[384] 10/4/2020 -- 00:41:54 - (detect-engine-loader.c:353) <Info> (SigLoadSignatures) -- 1 rule files processed. 20015 rules successfully loaded, 0 rules failed
[384] 10/4/2020 -- 00:41:55 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[384] 10/4/2020 -- 00:41:55 - (detect-engine-build.c:1416) <Info> (SigAddressPrepareStage1) -- 20018 signatures processed. 1153 are IP-only rules, 3900 are inspecting packet payload, 14735 inspect application layer, 103 are decoder event only
[384] 10/4/2020 -- 00:42:04 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 4 management threads initialized, engine started.
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:176) <Info> (ReceivePcapFileLoop) -- Starting file run for malware.pcap
[386] 10/4/2020 -- 00:42:04 - (util-checksum.c:89) <Info> (ChecksumAutoModeCheck) -- No packets with invalid checksum, assuming checksum offloading is NOT used
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file-helper.c:149) <Info> (PcapFileDispatch) -- pcap file malware.pcap end of file reached (pcap err code 0)
[384] 10/4/2020 -- 00:42:04 - (suricata.c:2916) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
[384] 10/4/2020 -- 00:42:04 - (suricata.c:1103) <Info> (SCPrintElapsedTime) -- time elapsed 0.130s
[386] 10/4/2020 -- 00:42:04 - (source-pcap-file.c:377) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 18523 packets, 3310685 bytes
[384] 10/4/2020 -- 00:42:04 - (counters.c:853) <Info> (StatsLogSummary) -- Alerts: 316
[384] 10/4/2020 -- 00:42:04 - (detect-engine-build.c:1716) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete

but no output in fast.log

# cat /var/log/suricata/fast.log | wc -l
0

However

When I run suricata in regular mode and replay the pcap with tcpreplay with the same interface, I get 316 alerts.

# suricata -c /etc/suricata/suricata.yaml -i eth0
# tcpreplay -t -i eth0 /root/malware.pcap
Warning in send_packets.c:send_packets() line 637:
Unable to send packet: Error with PF_PACKET send() [1]: Invalid argument (errno = 22)
Actual: 18523 packets (3310685 bytes) sent in 0.290575 seconds
Rated: 11393564.4 Bps, 91.14 Mbps, 63746.02 pps
Flows: 1520 flows, 5231.00 fps, 12589 flow packets, 5934 non-flow
Statistics for network device: eth0
    Successful packets:        18522
    Failed packets:            1
    Truncated packets:         0
    Retried packets (ENOBUFS): 0
    Retried packets (EAGAIN):  0
# cat /var/log/suricata/fast.log | wc -l
316

This 316 is the same as a line in the above posted output from offline mode, but I don't see anything in the fast.log.

What's going on?


Solution

  • Ok, found my answer at long last. For some reason when running Suricata in offline mode it outputs the fast.log (and all other log files) to the current working directory and not the directory from the yaml. I'll be submitting a bug to Suricata dev for this as I'm sure that wasn't intended.