Suricata and System Logs


  • Moderator

    I am running Snort (IPS mode) and Suricata (non-IPS mode) and have noticed that the Suricata logs are populating to the System logs when its not enabled?

    In Suricata, I have the Global Settings:      Log to System Log   Copy Suricata messages to the firewall system log.  [ Disabled ]

    May 24 14:10:55 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.48.97.236:24740
    May 24 14:09:56 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 87.250.247.173:80 -> x.x.x.x8:63651
    May 24 14:09:41 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 41.224.249.124:49100
    May 24 14:08:57 suricata[72265]: [1:2200029:1] SURICATA ICMPv6 unknown type [Classification: (null)] [Priority: 3] {IPV6-ICMP} fe80:0000:0000:0000:2264:32ff:fe52:4af1:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
    May 24 14:08:09 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 24.114.67.158:20606 -> x.x.x.x:443
    May 24 14:05:37 suricata[72265]: [1:2210016:1] SURICATA STREAM CLOSEWAIT FIN out of window [Classification: (null)] [Priority: 3] {TCP} 24.114.48.241:27636 -> x.x.x.x:443
    May 24 14:03:57 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.112.106.223:26962



  • @BBcan17:

    I am running Snort (IPS mode) and Suricata (non-IPS mode) and have noticed that the Suricata logs are populating to the System logs when its not enabled?

    In Suricata, I have the Global Settings:      Log to System Log   Copy Suricata messages to the firewall system log.  [ Disabled ]

    May 24 14:10:55 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.48.97.236:24740
    May 24 14:09:56 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 87.250.247.173:80 -> x.x.x.x8:63651
    May 24 14:09:41 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 41.224.249.124:49100
    May 24 14:08:57 suricata[72265]: [1:2200029:1] SURICATA ICMPv6 unknown type [Classification: (null)] [Priority: 3] {IPV6-ICMP} fe80:0000:0000:0000:2264:32ff:fe52:4af1:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
    May 24 14:08:09 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 24.114.67.158:20606 -> x.x.x.x:443
    May 24 14:05:37 suricata[72265]: [1:2210016:1] SURICATA STREAM CLOSEWAIT FIN out of window [Classification: (null)] [Priority: 3] {TCP} 24.114.48.241:27636 -> x.x.x.x:443
    May 24 14:03:57 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.112.106.223:26962

    Have performed a "save" operation after disabling the writing to the system log and also tried restarting Suricata?  Look in the suricata.yaml file for the interface and see if syslog output is showing as enabled.

    Bill


  • Moderator

    @bmeeks:

    Have performed a "save" operation after disabling the writing to the system log and also tried restarting Suricata?  Look in the suricata.yaml file for the interface and see if syslog output is showing as enabled.

    Hi Bill,

    Sorry for sounding the alarm. I was looking at the General Settings tab for System logs which was not enabled. I have now disabled the system logs for Wan and Lan interfaces.  :o

    I don't recall the logs going to the System.log with the previous Suricata Package. I didn't play with the Suricata settings for awhile now.

    Here is what is in the yaml file for "syslog"

    grep -A4 -n "syslog" /usr/pbi/suricata-amd64/etc/suricata/suricata_30898_bce0/suricata.yaml
    73:  - syslog:
    74-      enabled: no
    75-      identity: suricata
    76-      facility: auth
    77-      level: Info

    225:  - syslog:
    226-      enabled: yes
    227-      facility: auth
    228-      format: "[%i] <%d> – "
    229-



  • @BBcan17:

    @bmeeks:

    Have performed a "save" operation after disabling the writing to the system log and also tried restarting Suricata?  Look in the suricata.yaml file for the interface and see if syslog output is showing as enabled.

    Hi Bill,

    Sorry for sounding the alarm. I was looking at the General Settings tab for System logs which was not enabled. I have now disabled the system logs for Wan and Lan interfaces.  :o

    I don't recall the logs going to the System.log with the previous Suricata Package. I didn't play with the Suricata settings for awhile now.

    Here is what is in the yaml file for "syslog"

    grep -A4 -n "syslog" /usr/pbi/suricata-amd64/etc/suricata/suricata_30898_bce0/suricata.yaml
    73:  - syslog:
    74-      enabled: no
    75-      identity: suricata
    76-      facility: auth
    77-      level: Info

    225:  - syslog:
    226-      enabled: yes
    227-      facility: auth
    228-      format: "[%i] <%d> – "
    229-

    I can't remember exactly when I enabled that, but it's been there at least since one of the earlier BETA releases.  Suricata has two distinct and different logging paths.  One is for alerts.  Those can go to syslog or not.  The other is for Suricata operations-related stuff like startup, shutdown, etc.  That always goes to the suricata.log file on pfSense, but can optionally go to the system log (syslog) as well if enabled.  That's why there are two different parts of the suricata.yaml file that reference syslog.

    Bill


Log in to reply