Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    packet log being generated?

    Scheduled Pinned Locked Moved IDS/IPS
    11 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by michmoor

      Has anyone been able to get this to work?
      I can generate alerts without issues running the following command
      curl -A BlackSun google.com
      Easy enough. The alerts show up but no pcap. At least as far as i know.

      I go into the filesystem of the firewall and there are no pcap files.

      /var/log/suricata/suricata_igc111827/pcaps: ls -ltrh
      total 0

      2e6c4f3c-0a76-47c8-85bb-fd2ba55de812-image.png

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        This works fine. Just tested in my virtual environment. Did you restart Suricata on the interface after making the configuration change? Any changes made under INTERFACE SETTINGS generally require a Suricata restart on the interface so that the running binary can become aware of the config change.

        Here are two screenshots from my quick test this morning. I enabled Packet Logging and then used a Kali Linux VM to port scan a pfSense 2.7.2 CE VM. That generated alerts that were captured as shown below.

        First, enable the Packet Log option by checking the box on the INTERFACE SETTINGS tab:

        Suricata_PacketLog_Enable.png

        Restart Suricata on the interface and then either wait for alerts or generate them purposefully. Check the Suricata interface logging directory under /var/log/suricata/. Each PCAP file is suffixed with a UNIX timestamp corresponding to the time the file was created. The options for Max Packet Log File Size and Max Packet Log Files determine how large each PCAP file is allowed to grow until a new one is started, and how many total PCAP files are allowed to accumulate in the PCAP logging directory:

        Suricata_PCAP_file.png

        Notice there are several options related to packet logging that automatically unhide in the GUI when you enable PCAP file generation.

        You can also independently enable packet logging/capture in the EVE JSON options. That will capture the packet data within an EVE JSON record that can then be digested by third-party EVE JSON collectors/analysis engines.

        Just be aware that packet logging will consume a ton of disk space very quickly on a busy network.

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @bmeeks
          last edited by

          @bmeeks Restarting Suricata was exactly what was needed so thank you for that.

          I do have suggestions please let me know if its possible.

          1. Provide a message under the settings tab that indicates "any changes here require restarting Suricata"

          2. Provide an Export button to get the pcap out of the system in a more direct way. Right now the flow would require either ssh to the firewall and scp the file out to another system or through the GUI which is cumbersome i find.

          I appreciate the added color about packet logging. The rules in place have been fine tuned to the best of what we can. So far any alerts generated are actionable. The key is to not run Suricata on Internet bound flows. Between datacenters is best as that's less likely to be encrypted (think mysqql for example).

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @michmoor
            last edited by

            @michmoor said in packet log being generated?:

            I do have suggestions please let me know if its possible.

            Provide a message under the settings tab that indicates "any changes here require restarting Suricata"

            Provide an Export button to get the pcap out of the system in a more direct way. Right now the flow would require either ssh to the firewall and scp the file out to another system or through the GUI which is cumbersome i find.

            Anything is possible and Pull Requests are always welcomed at https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-suricata 😀.

            M 1 Reply Last reply Reply Quote 1
            • M
              michmoor LAYER 8 Rebel Alliance @bmeeks
              last edited by

              @bmeeks Lets crack open this C++ for dummies book. haha

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @michmoor
                last edited by

                @michmoor said in packet log being generated?:

                @bmeeks Lets crack open this C++ for dummies book. haha

                Only need PHP for the GUI stuff.

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @bmeeks
                  last edited by

                  @bmeeks all jokes aside. i think i may be able to chatGPT my way through it. I'll give it a shot.
                  Any pointers as to where to start? How do i look through the code and say "ok this is where i put my code "

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @michmoor
                    last edited by bmeeks

                    @michmoor said in packet log being generated?:

                    @bmeeks all jokes aside. i think i may be able to chatGPT my way through it. I'll give it a shot.
                    Any pointers as to where to start? How do i look through the code and say "ok this is where i put my code "

                    The restart warning message is a simple addition to the existing INTERFACE SETTINGS tab code in suricata_interfaces_edit.php.

                    Creating something to export PCAP files would best be done with a completely new tab and associated PHP code. There's not existing functionality that you could logically tack that feature onto. You could model the new code page on the code Viktor Gurov wrote for the File Store tab a couple of years ago.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @bmeeks
                      last edited by

                      @bmeeks

                      Should i add the following to the top of the code in the PHP file but below the initial comments?

                      <div style="background-color: #ffcc00; color: #000; padding: 10px; text-align: center; font-weight: bold; border: 1px solid #ffa500; margin-bottom: 20px;">
                          Any changes to the settings below will require a restart of the package.
                      </div>
                      

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @michmoor
                        last edited by

                        @michmoor said in packet log being generated?:

                        @bmeeks

                        Should i add the following to the top of the code in the PHP file but below the initial comments?

                        <div style="background-color: #ffcc00; color: #000; padding: 10px; text-align: center; font-weight: bold; border: 1px solid #ffa500; margin-bottom: 20px;">
                            Any changes to the settings below will require a restart of the package.
                        </div>
                        

                        No, that will break the entire page and mess up the pfSense header and footer rendering. You will need to examine the existing PHP code files and learn by example. You can experiment in a VM running pfSense. If you have never programmed in PHP, and in particular within the pfSense PHP GUI environment, you need to take some time to learn the basics before jumping in and making changes.

                        GertjanG 1 Reply Last reply Reply Quote 2
                        • GertjanG
                          Gertjan @bmeeks
                          last edited by Gertjan

                          @bmeeks said in packet log being generated?:

                          You will need to examine the existing PHP code files and learn by example

                          Thought so. @michmoor, you need the other book.

                          b702f6a8-9a39-444c-a837-b4f8cbe40540-9780470527580.jpg

                          Click the image.

                          edit : or this one.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.