Bug #3617
openMissing icmp netflow
Description
Dear support,
I use suricata version 4.1.3, and found a problem.
Suricata only sends netflow data from these types of icmp traffic:
icmp_type: 0
icmp_type: 8
icmp_type: 13
for example:
{"timestamp":"2020-04-07T14:11:58.002938+0200","flow_id":1641624226562049,"event_type":"netflow","src_ip":"xxx.xxx.xxx.xx","dest_ip":"xx.xxx.xx.xxx","proto":"ICMP","icmp_type":8,"icmp_code":0,"netflow":{"pkts":1,"bytes":64,"start":"2020-04-07T14:06:57.000001+0200","end":"2020-04-07T14:06:57.000001+0200","age":0,"min_ttl":55,"max_ttl":55}}
{"timestamp":"2020-04-07T14:11:58.002958+0200","flow_id":1641624226562049,"event_type":"netflow","src_ip":"xx.xxx.xx.xxx","dest_ip":"xxx.xxx.xxx.xx","proto":"ICMP","icmp_type":0,"icmp_code":0,"netflow":{"pkts":1,"bytes":64,"start":"2020-04-07T14:06:57.000001+0200","end":"2020-04-07T14:06:57.000001+0200","age":0,"min_ttl":64,"max_ttl":64}}
{"timestamp":"2020-04-06T11:17:42.000871+0200","flow_id":693070074413057,"event_type":"netflow","src_ip":"xxx.xx.xxx.xx","dest_ip":"xx.xxx.xx.xxx","proto":"ICMP","icmp_type":13,"icmp_code":0,"netflow":{"pkts":2,"bytes":128,"start":"2020-04-06T11:17:11.000001+0200","end":"2020-04-06T11:17:11.000001+0200","age":0,"min_ttl":27,"max_ttl":41}}
This problem was only for IPv4 traffic.
We did not examine IPv6-icmp netflow data.
There is no problem with tcp and udp netflow data.
What could be the problem?
Regards,
Zsolt Nagy
Updated by Andreas Herz over 4 years ago
Can you try it with Suricata 5.0.x as well?
Also a pcap would be helpful so we can debug it on our side.
Updated by Zsolt Nagy over 4 years ago
Andreas Herz wrote in #note-1:
Can you try it with Suricata 5.0.x as well?
Also a pcap would be helpful so we can debug it on our side.
Dear Andreas,
I also tried suricata with version 5.0.2 but the same problem.
During the tests, we generated icmp_type 0, 3, 8, 11, and 13 traffic.
But suricata only sends netflow data from these types of icmp traffic:
icmp_type: 0
icmp_type: 8
icmp_type: 13
I would like an email address where I can send the pcap.
Updated by Andreas Herz over 4 years ago
aherz@oisf.net or upload it here if possible
Updated by Zsolt Nagy over 4 years ago
Andreas Herz wrote in #note-3:
aherz@oisf.net or upload it here if possible
Dear Andreas,
I emailed the pcap file.
Regards,
Zsolt Nagy
Updated by Andreas Herz over 4 years ago
- Tracker changed from Support to Bug
- Assignee set to OISF Dev
- Target version set to TBD
- Affected Versions 5.0.3 added
- Affected Versions deleted (
4.1.5)
I can confirm that with 5.0.3 and your pcap. Although I don't even see type 13 in netflow, only 8 and 0. It's even less on flow where it's only type 8.
I don't find type 13 in the pcap either.
If you run a rule with keyword itype:3 or itype:11 the alerts trigger, so the pcap is fine and parsed correct.
So the question is if it's intended to not output those types or a bug. We will look into this.