There is one more event besides "stats" and "alert". It is "drop" for IPS.

[samiux]

Relevant telegraf.conf

N/A

Logs from Telegraf

N/A

System info

Telegraf 1.26.1

Docker

No response

Steps to reproduce

N/A

Expected behavior

N/A

Actual behavior

N/A

Additional info

I am running Suricata IPS and Telegraf is working not properly. It refused to capture the traffic from unix socket. After checking the source code, I find out that from line 226 to line 246 where the event "drop" is missing. It is because that the event of an IPS is "drop" instead of "alert".

[powersj]

Hi,

The bug template exists for a reason. As-is you haven't even said what plugin you are using. Please provide a config without any credentials.

Thanks

[samiux]

It is suricata plugin. "suricata.go" source code line 226 to line 246 referred.

[samiux]

Moreover, someone may use "reject" instead of "drop" too.

[powersj]

Moreover, someone may use "reject" instead of "drop" too.

It looks like there are custom parsers for these alert and stats results. Can you provide an example object to determine how these messages should be parsed?

Thanks

[samiux]

The following is an example suricata rule :

alert tcp $EXTERNAL_NET any -> 10.200.0.0/24 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web application-attack; reference:url,www.cert.org/advisories/CA-2001 19.html; sid:1255; rev:7;)

Where "alert" is for IDS. When using Suricata as IPS, "alert" may be "drop" or "reject" depending on the writers' mind. The "drop" means to drop all the related packets without response while "reject" means to drop all the related packets and response to the sender about the action.

Moreover, another keyword is "pass" which allows the related packets to pass the IDS/IPS without further action. I think "pass" may be ignored for Telegraf.

[powersj]

"alert" may be "drop" or "reject" depending on the writers' mind.

Ah so we can re-use the existing alert parsing to capture and parse possible "drop" and "reject" messages. That should be straightforward to test in a PR

[samiux]

Replace line 226 to 246 with the following code :

func (s *Suricata) parse(acc telegraf.Accumulator, sjson []byte) error {
	// initial parsing
	var result map[string]interface{}
	err := json.Unmarshal(sjson, &result)
	if err != nil {
		return err
	}
	// check for presence of relevant stats or alert or drop or reject
	_, ok := result["stats"]
	_, ok2 := result["alert"]
	_, ok3 := result["drop"]
	_, ok4 := result["reject"]
	if !ok && !ok2 && !ok3 && !ok4 {
		s.Log.Debugf("Invalid input without 'stats' or 'alert' or 'drop' or 'reject' object: %v", result)
		return fmt.Errorf("input does not contain 'stats' or 'alert' or 'drop' or 'reject' object")
	}
	if ok {
		s.parseStats(acc, result)
	} else if ok2 && s.Alerts {
		s.parseAlert(acc, result)
	} else if ok3 && s.Alerts {
		s.parseAlert(acc, result)
	} else if ok4 && s.Alerts {
		s.parseAlert(acc, result)
	}
	return nil
}

[powersj]

@samiux Do you want to put up a PR? If you do the PR will get artifacts attached to it, assuming tests pass, that you could then also confirm work.

[samiux]

I do not know how to do it. Any procedure?

[powersj]

I put up PR #13048 which should have some artifacts added as a comment from the telegraf tiger in the next 20-30mins. If you could download one of those artifacts and see if it works, it would be great!

[samiux]

Sorry, where to download?

[powersj]

Hmm seems the bot didn't add the links again. I'll follow up with circleci :(

here are direct links:

• linux_amd64.tar.gz
• darwin_amd64.tar.gz
• windows_amd64.zip

Let me know if you are using a different architecture or OS combo and I can get you that link.

[samiux]

How about arm64 version in debian?

[powersj]

• linux_arm64.tar.gz
• darwin_arm64.tar.gz

[samiux]

The changes do not work.

I am running Suricata 6.0.10 in IPS mode.

The followings are example of the eve.log :

{"timestamp":"2023-04-07T00:21:07.805683+0800","event_type":"stats","stats":{"uptime":160,"capture":{"kernel_packets":522,"kernel_drops":0,"errors":0},"decoder":{"pkts":526,"bytes":56688,"invalid":0,"ipv4":191,"ipv6":1,"ethernet":526,"chdlc":0,"raw":0,"null":0,"sll":0,"tcp":157,"udp":34,"sctp":0,"icmpv4":0,"icmpv6":1,"ppp":0,"pppoe":0,"geneve":0,"gre":0,"vlan":0,"vlan_qinq":0,"vxlan":0,"vntag":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":107,"max_pkt_size":1454,"max_mac_addrs_src":0,"max_mac_addrs_dst":0,"erspan":0,"event":{"ipv4":{"pkt_too_small":0,"hlen_too_small":0,"iplen_smaller_than_hlen":0,"trunc_pkt":0,"opt_invalid":0,"opt_invalid_len":0,"opt_malformed":0,"opt_pad_required":0,"opt_eol_required":0,"opt_duplicate":0,"opt_unknown":0,"wrong_ip_version":0,"icmpv6":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0},"icmpv4":{"pkt_too_small":0,"unknown_type":0,"unknown_code":0,"ipv4_trunc_pkt":0,"ipv4_unknown_ver":0},"icmpv6":{"unknown_type":0,"unknown_code":0,"pkt_too_small":0,"ipv6_unknown_version":0,"ipv6_trunc_pkt":0,"mld_message_with_invalid_hl":0,"unassigned_type":0,"experimentation_type":0},"ipv6":{"pkt_too_small":0,"trunc_pkt":0,"trunc_exthdr":0,"exthdr_dupl_fh":0,"exthdr_useless_fh":0,"exthdr_dupl_rh":0,"exthdr_dupl_hh":0,"exthdr_dupl_dh":0,"exthdr_dupl_ah":0,"exthdr_dupl_eh":0,"exthdr_invalid_optlen":0,"wrong_ip_version":0,"exthdr_ah_res_not_null":0,"hopopts_unknown_opt":0,"hopopts_only_padding":0,"dstopts_unknown_opt":0,"dstopts_only_padding":0,"rh_type_0":0,"zero_len_padn":0,"fh_non_zero_reserved_field":0,"data_after_none_header":0,"unknown_next_header":0,"icmpv4":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_invalid_length":0,"frag_ignored":0,"ipv4_in_ipv6_too_small":0,"ipv4_in_ipv6_wrong_version":0,"ipv6_in_ipv6_too_small":0,"ipv6_in_ipv6_wrong_version":0},"tcp":{"pkt_too_small":0,"hlen_too_small":0,"invalid_optlen":0,"opt_invalid_len":0,"opt_duplicate":0},"udp":{"pkt_too_small":0,"hlen_too_small":0,"hlen_invalid":0,"len_invalid":0},"sll":{"pkt_too_small":0},"ethernet":{"pkt_too_small":0},"ppp":{"pkt_too_small":0,"vju_pkt_too_small":0,"ip4_pkt_too_small":0,"ip6_pkt_too_small":0,"wrong_type":0,"unsup_proto":0},"pppoe":{"pkt_too_small":0,"wrong_code":0,"malformed_tags":0},"gre":{"pkt_too_small":0,"wrong_version":0,"version0_recur":0,"version0_flags":0,"version0_hdr_too_big":0,"version0_malformed_sre_hdr":0,"version1_chksum":0,"version1_route":0,"version1_ssr":0,"version1_recur":0,"version1_flags":0,"version1_no_key":0,"version1_wrong_protocol":0,"version1_malformed_sre_hdr":0,"version1_hdr_too_big":0},"vlan":{"header_too_small":0,"unknown_type":0,"too_many_layers":0},"ieee8021ah":{"header_too_small":0},"vntag":{"header_too_small":0,"unknown_type":0},"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"sctp":{"pkt_too_small":0},"mpls":{"header_too_small":0,"pkt_too_small":0,"bad_label_router_alert":0,"bad_label_implicit_null":0,"bad_label_reserved":0,"unknown_payload_type":0},"vxlan":{"unknown_payload_type":0},"geneve":{"unknown_payload_type":0},"erspan":{"header_too_small":0,"unsupported_version":0,"too_many_vlan_layers":0},"dce":{"pkt_too_small":0},"chdlc":{"pkt_too_small":0}},"too_many_layers":0},"flow":{"memcap":0,"tcp":15,"udp":13,"icmpv4":0,"icmpv6":1,"tcp_reuse":0,"get_used":0,"get_used_eval":0,"get_used_eval_reject":0,"get_used_eval_busy":0,"get_used_failed":0,"wrk":{"spare_sync_avg":100,"spare_sync":11,"spare_sync_incomplete":0,"spare_sync_empty":0,"flows_evicted_needs_work":0,"flows_evicted_pkt_inject":0,"flows_evicted":1,"flows_injected":0},"mgr":{"full_hash_pass":1,"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"rows_maxlen":1,"flows_checked":11,"flows_notimeout":11,"flows_timeout":0,"flows_timeout_inuse":0,"flows_evicted":0,"flows_evicted_needs_work":0},"spare":10100,"emerg_mode_entered":0,"emerg_mode_over":0,"memuse":9965056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"flow_bypassed":{"local_pkts":0,"local_bytes":0,"local_capture_pkts":0,"local_capture_bytes":0,"closed":0,"pkts":0,"bytes":0},"tcp":{"sessions":3,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":3,"synack":3,"rst":2,"midstream_pickups":0,"pkt_on_wrong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":9699328,"reassembly_memuse":1581056},"detect":{"engines":[{"id":0,"last_reload":"2023-04-07T00:18:57.043537+0800","rules_loaded":38515,"rules_failed":0}],"alert":0,"alert_queue_overflow":0,"alerts_suppressed":0},"app_layer":{"flow":{"http":2,"ftp":0,"smtp":0,"tls":1,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":8,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"http2":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":3,"nfs_udp":0,"krb5_udp":0,"failed_udp":2},"tx":{"http":2,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":8,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"rdp":0,"http2":0,"dcerpc_udp":0,"dns_udp":16,"nfs_udp":0,"krb5_udp":0},"expectations":0},"http":{"memuse":192,"memcap":0},"ftp":{"memuse":0,"memcap":0},"file_store":{"open_files":0}}}

{"timestamp":"2023-04-07T00:21:01.318245+0800","flow_id":180225164834117,"in_iface":"eth1","event_type":"drop","src_ip":"192.168.0.110","src_port":46016,"dest_ip":"54.192.18.125","dest_port":443,"proto":"TCP","drop":{"len":76,"tos":0,"ttl":64,"ipid":62316,"tcpseq":3900248957,"tcpack":2339873683,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":true,"tcpres":0,"tcpurgp":0,"reason":"stream error"}}

{"timestamp":"2023-04-07T00:27:50.220224+0800","flow_id":1124332026121723,"in_iface":"eth2","event_type":"http","src_ip":"192.168.0.120","src_port":33950,"dest_ip":"203.205.239.179","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"hkminorshort.weixin.qq.com","url":"/mmtls/2d6d45f1","http_user_agent":"MicroMessenger Client","http_content_type":"application/octet-stream","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":245}}

{"timestamp":"2023-04-07T00:28:22.136079+0800","flow_id":911610881873910,"in_iface":"eth1","event_type":"flow","src_ip":"192.168.0.121","src_port":50212,"dest_ip":"142.251.130.3","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":66,"bytes_toclient":0,"start":"2023-04-07T00:26:49.432118+0800","end":"2023-04-07T00:26:49.432118+0800","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}

{"timestamp":"2023-04-07T00:28:01.412847+0800","flow_id":758688552342588,"in_iface":"eth1","event_type":"flow","src_ip":"192.168.0.110","src_port":36255,"dest_ip":"192.168.0.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":82,"bytes_toclient":82,"start":"2023-04-07T00:22:00.414780+0800","end":"2023-04-07T00:22:00.420497+0800","age":0,"state":"established","reason":"timeout","alerted":false}}

{"timestamp":"2023-04-07T00:20:57.995497+0800","flow_id":2150129093506313,"in_iface":"eth1","event_type":"dns","src_ip":"192.168.0.100","src_port":39262,"dest_ip":"192.168.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7145,"rrname":"reddit.com","rrtype":"A","tx_id":10}}

{"timestamp":"2023-04-07T00:20:57.999542+0800","flow_id":2150129093506313,"in_iface":"eth2","event_type":"dns","src_ip":"192.168.0.100","src_port":39262,"dest_ip":"192.168.0.1","dest_port":53,"proto":"UDP","dns":{"version":2,"type":"answer","id":7145,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"reddit.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"reddit.com","rrtype":"A","ttl":116,"rdata":"151.101.65.140"},{"rrname":"reddit.com","rrtype":"A","ttl":116,"rdata":"151.101.129.140"},{"rrname":"reddit.com","rrtype":"A","ttl":116,"rdata":"151.101.193.140"},{"rrname":"reddit.com","rrtype":"A","ttl":116,"rdata":"151.101.1.140"}],"grouped":{"A":["151.101.65.140","151.101.129.140","151.101.193.140","151.101.1.140"]}}}

[powersj]

Looking at your examples in order

1 - "event_type": "stats": this one should parse fine, what error are you getting?

2 - "event_type": "drop": as you discovered your patch will not work. As the parseAlert call immediately checks to see if alert is present in the output and you need to specify "alert" true in your config. I have pushed another change to introduce a generic parser for drop and reject. Given the new artifacts in 20-30mins a try. I think I resolved the circleci issues as well

The remaining items you showed do not have a stats, alert, drop, or reject in them:

3 - "event_type": "http"
4 - "event_type": "flow"
5 - "event_type": "flow"
6 - "event_type": "dns"
7 - "event_type": "dns"

[samiux]

The error message is :

It is telegraf 1.26.1.

2023-04-06T18:13:15Z E! [inputs.suricata] Error in plugin: input does not contain 'stats' or 'alert' object

[samiux]

The error message of the PR :

2023-04-06T19:03:08Z D! [inputs.suricata] invalid input without 'stats', 'alert', 'drop', or 'reject' object: %!w(map[string]interface {}=map[app_proto:dns dest_ip:8.8.8.8 dest_port:53 event_type:flow flow:map[age:0 alerted:false bytes_toclient:208 bytes_toserver:96 end:2023-04-07T02:55:11.456804+0800 pkts_toclient:1 pkts_toserver:1 reason:timeout start:2023-04-07T02:55:11.421911+0800 state:established] flow_id:2.31406757179415e+14 in_iface:eth1 proto:UDP src_ip:192.168.0.200 src_port:43467 timestamp:2023-04-07T03:03:08.122605+0800])

2023-04-06T19:03:07Z D! [inputs.suricata] invalid input without 'stats', 'alert', 'drop', or 'reject' object: %!w(map[string]interface {}=map[app_proto:dns dest_ip:192.168.0.1 dest_port:53 event_type:flow flow:map[age:0 alerted:false bytes_toclient:100 bytes_toserver:84 end:2023-04-07T02:56:56.435761+0800 pkts_toclient:1 pkts_toserver:1 reason:timeout start:2023-04-07T02:56:56.408026+0800 state:established] flow_id:2.20090696730057e+15 in_iface:eth1 proto:UDP src_ip:192.168.0.120 src_port:63069 timestamp:2023-04-07T03:03:07.421238+0800])

[powersj]

That is expected, as those are both "event_type:flow"

[samiux]

The InfluxDB got the data. However, there are no such fields, such as dest_ip, dest_port, src_ip, src_port, proto, in_iface, out_iface and event_type, etc in the InfluxDB. I think Grafana needs them to make a good looking dashboard.

[powersj]

Are those fields always in a drop or reject message or does it depend?

I see them in alerts as well, but looks like we currently do not parse them either.

[samiux]

Those fields are also in "drop" and "reject" message. However, when making a good looking dashboard, we need those fields to plot the graphs. Such as :

Drop and Alert list

timestamp, event_type, reason, src_ip, src_port, dest_ip, dest_port, proto

Count for protocol list

timestamp, event_type, src_ip, src_port, dest_ip, dest_port, proto

It is also good to show the signature in the field too.

[samiux]

I think it is good to combines all event type (such as alert, drop, reject) in one measurement. When we are going to plot a graph, we can just search for the event type and other fields.

[powersj]

I think it is good to combines all event type (such as alert, drop, reject) in one measurement.

I do not disagree, but at this point you are effectively "breaking" the plugin by changing how it works for existing users if we were to make this change.

This "issue" has grown in scope a little bit, so when I get back next week I can think about next steps on this one.

[samiux]

Would you mind telling me how to get the src_ip, src_port, dest_ip and dest_port?

[powersj]

timestamp

To set the timestamp using the message timestamp we would need two new fields one for the fieldname and one for the timestamp format to parse. By default we would want to continue to ignore this field as to not change existing users

Would you mind telling me how to get the src_ip, src_port, dest_ip and dest_port?

Are these always in the root of the message? Looks like someone mentioned these values most-merge in #9322 previously.

In terms of collecting these values, we could check if they are in the root and add what we find as fields if we do find them.

Thoughts?

[samiux]

In my opinion, "timestamp" is very important to the network security monitoring as it tells us when was the events triggered. Meanwhile, IP addresses and ports are also important to the security monitoring too.

How about to create another measurement (such as suricata_events besides suricata and suricata_alert) to keep all the data (all kinds of event type) from the eve json log for the users who requires all the event types, IP addresses, ports and etc?

Meanwhile, elasticsearch, logstash and kibana can capture all the eve json log from Suricata. However, ELK Stack consumes a lot of resources which is not suit for IoT. On the other hand, I find that someone else uses elasticsearch to capture the log and plot the graphs in Grafana, such as https://github.com/TripleConsult/suricata_grafana_dashboard .

[powersj]

I have pushed a bigger update to #13048 which introduces a new config option called version. Setting this to version = "2" will attempt to parse any message that is received based on the event_type key, set the time based on the timestamp, and include those missing base tag and field options.

I need to write some more test cases, but could you give it a try and let me know what you think?

[samiux]

It seems that it is working properly. I will let the telegraf to run for a while for further checking. Thank you.

[samiux]

After running it for a while, it is working properly and perfect. Thank you.

[powersj]

Thank you for trying it out and confirming! I'll wrap up some test cases and put up the PR for review next week.

Thanks again!

[samiux]

E! [outputs.influxdb_v2] Failed to write metric to suricata_events (will be dropped: 422 Unprocessable Entity): unprocessable entity: failure writing points to database: partial write: field type conflict: input field "version" on measurement "suricata" is type string, already exists as type float dropped=8

Any harm?

[powersj]

input field "version" on measurement "suricata" is type string, already exists as type float

Ah interesting, do you have an example metric that has a version field as a string and another as a float?

In general it doesn't do any harm, but it does mean that you are missing that field when it shows up as a string. I think in other plugins we try to store version as a string since it can and usually does have characters or extra periods in it.

[samiux]

I do not know which data contains the version field that is a float.

However, I think that all the fields of the metric data may be string as it can produce log files, such as json.

[samiux]

By the way, "signature_id", "src_por"t and "dest_port" are also string as they do not do calculation.

[powersj]

However, I think that all the fields of the metric data may be string as it can produce log files, such as json.

The flexFlatten function is used to produce the fields. If it gets "1.20" a float and then "1.20a" a string which ever gets in first wins and then you are stuck with two different types. What we typically want to do is, specify the fields and their data types that we want. Because the suricata messages could have a variety of fields and types I think we are stuck with what we have for now.

By the way, "signature_id", "src_por"t and "dest_port" are also string as they do not do calculation.

In the branch I am specifically setting src_port and dest_port to integers. Is that not what you are seeing?

Is there anyting else in the branch that is an issue? or is it generally working?

[samiux]

"src_port" and "dest_port" are now integer. However, I think all the metric field of Suricata are string only as they do not do any calculation.

[powersj]

However, I think all the metric field of Suricata are string only as they do not do any calculation.

are you asking I flip those back to strings as well?

[samiux]

If it is making sense, I would like to make them as string.