Suricata messages truncated while sending to remote log server



  • Hi,

    I have configured PFsense to send suricata logs to logstash server in json format, but they are truncated when sending, I have checked with tcpdump:

    12:46:55.985507 IP 192.168.10.228.514 > 192.168.10.226.5140: SYSLOG syslog.alert, length: 480
    0x0000: 4500 01fc 86ef 0000 4011 5aeb c0a8 0ae4 E.......@.Z.....
    0x0010: c0a8 0ae2 0202 1414 01e8 cdf3 3c34 313e ............<41>
    0x0020: 4f63 7420 3133 2031 323a 3436 3a35 3520 Oct.13.12:46:55.
    0x0030: 7375 7269 6361 7461 5b31 3138 3638 5d3a suricata[11868]:
    0x0040: 207b 2274 696d 6573 7461 6d70 223a 2022 .{"timestamp":."
    0x0050: 3230 3230 2d31 302d 3133 5431 323a 3436 2020-10-13T12:46
    0x0060: 3a35 352e 3439 3136 3539 2b30 3030 3022 :55.491659+0000"
    0x0070: 2c20 2266 6c6f 775f 6964 223a 2032 3032 ,."flow_id":.202
    0x0080: 3232 3435 3131 3533 3330 3639 392c 2022 2245115330699,."
    0x0090: 696e 5f69 6661 6365 223a 2022 7674 6e65 in_iface":."vtne
    0x00a0: 7430 222c 2022 6576 656e 745f 7479 7065 t0",."event_type
    0x00b0: 223a 2022 616c 6572 7422 2c20 2273 7263 ":."alert",."src
    0x00c0: 5f69 7022 3a20 2231 3932 2e31 3638 2e31 ip":."192.168.1
    0x00d0: 3934 2e39 222c 2022 7372 635f 706f 7274 94.9",."src_port
    0x00e0: 223a 2034 3239 3538 2c20 2264 6573 745f ":.42958,."dest

    0x00f0: 6970 223a 2022 3139 322e 3136 382e 3130 ip":."192.168.10
    0x0100: 2e32 3238 222c 2022 6465 7374 5f70 6f72 .228",."dest_por
    0x0110: 7422 3a20 3538 3031 2c20 2270 726f 746f t":.5801,."proto
    0x0120: 223a 2022 5443 5022 2c20 2261 6c65 7274 ":."TCP",."alert
    0x0130: 223a 207b 2261 6374 696f 6e22 3a20 2261 ":.{"action":."a
    0x0140: 6c6c 6f77 6564 222c 2022 6769 6422 3a20 llowed",."gid":.
    0x0150: 312c 2022 7369 676e 6174 7572 655f 6964 1,."signature_id
    0x0160: 223a 2032 3030 3239 3130 2c20 2272 6576 ":.2002910,."rev
    0x0170: 223a 2036 2c20 2273 6967 6e61 7475 7265 ":.6,."signature
    0x0180: 223a 2022 4554 2053 4341 4e20 506f 7465 ":."ET.SCAN.Pote
    0x0190: 6e74 6961 6c20 564e 4320 5363 616e 2035 ntial.VNC.Scan.5
    0x01a0: 3830 302d 3538 3230 222c 2022 6361 7465 800-5820",."cate
    0x01b0: 676f 7279 223a 2022 4174 7465 6d70 7465 gory":."Attempte
    0x01c0: 6420 496e 666f 726d 6174 696f 6e20 4c65 d.Information.Le
    0x01d0: 616b 222c 2022 7365 7665 7269 7479 223a ak",."severity":
    0x01e0: 2032 2c20 226d 6574 6164 6174 6122 3a20 .2,."metadata":.
    0x01f0: 7b22 7570 6461 7465 645f 6174 {"updated_at

    Looks like length for truncated messages is 480

    P.S. As far as I can see - only Suricata logs are affected


  • LAYER 8

    idk if it's (in)sane
    https://github.com/freebsd/freebsd/blob/master/usr.sbin/syslogd/syslogd.c

    /* Truncate messages to RFC 5426 recommended size. */
    		dprintf(" %s", f->fu_forw_hname);
    		switch (f->fu_forw_addr->ai_family) {
    #ifdef INET
    		case AF_INET:
    			dprintf(":%d\n",
    			    ntohs(satosin(f->fu_forw_addr->ai_addr)->sin_port));
    			iovlist_truncate(il, 480);
    			break;
    

    i don't understand c very much but are they deliberately truncating to 480 ?



  • This is a limitation of the syslog daemon on FreeBSD. It is not something the Suricata package can control or change.



  • @kiokoman said in Suricata messages truncated while sending to remote log server:

    idk if it's (in)sane
    https://github.com/freebsd/freebsd/blob/master/usr.sbin/syslogd/syslogd.c

    /* Truncate messages to RFC 5426 recommended size. */
    		dprintf(" %s", f->fu_forw_hname);
    		switch (f->fu_forw_addr->ai_family) {
    #ifdef INET
    		case AF_INET:
    			dprintf(":%d\n",
    			    ntohs(satosin(f->fu_forw_addr->ai_addr)->sin_port));
    			iovlist_truncate(il, 480);
    			break;
    

    i don't understand c very much but are they deliberately truncating to 480 ?

    Yes, the rationale is to supposedly prevent any kind of DoS by flooding syslog with huge packets. You will find lots of links on Google about this. Some people have actually changed the C source file and then recompiled syslog to get around this limit.


  • LAYER 8

    ah that make sense 👍


Log in to reply