Suricata not outputting alerts to SYN FLOOD

        I am running suricta on a raspberry pi and then using my install of Kali Linux to attack it. I attacked the raspberry pi using a SYN Flood attack. I checked the <code>fast.log</code> file but nothing appeared. I also checked the <code>eve.json</code> file. Here is an excerpt from this file:
"timestamp":"2020-03-26T10:24:58.000129+0000","flow_id":1166545377695789,"event_type":"flow","src_ip":"192.168.1.128","src_port":58624,"dest_ip":"239.255.255.250","dest_port":1900,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":492,"bytes_toclient":0,"start":"2020-03-26T10:24:26.071725+0000","end":"2020-03-26T10:24:26.071725+0000","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2020-03-26T10:24:58.000681+0000","flow_id":1191675231349066,"event_type":"flow","src_ip":"192.168.1.128","src_port":54753,"dest_ip":"239.255.255.250","dest_port":1900,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":494,"bytes_toclient":0,"start":"2020-03-26T10:24:26.076106+0000","end":"2020-03-26T10:24:26.076106+0000","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2020-03-26T10:25:00.451241+0000","flow_id":247701551506089,"in_iface":"wlan0","event_type":"alert","src_ip":"fe80:0000:0000:0000:0c84:c8e2:453c:482d","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0016","proto":"IPv6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":0,"rev":0,"signature":"RULE TRIGGRED","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":90,"bytes_toclient":0,"start":"2020-03-26T10:25:00.451241+0000"}}
{"timestamp":"2020-03-26T10:25:04.000134+0000","flow_id":116370039671467,"event_type":"flow","src_ip":"192.168.1.80","src_port":5353,"dest_ip":"224.0.0.251","dest_port":5353,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":4,"pkts_toclient":0,"bytes_toserver":815,"bytes_toclient":0,"start":"2020-03-26T10:24:32.494251+0000","end":"2020-03-26T10:24:32.502118+0000","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2020-03-26T10:25:04.882328+0000","event_type":"stats","stats":{"uptime":573,"capture":{"kernel_packets":7582,"kernel_drops":0,"errors":0},"decoder":{"pkts":7582,"bytes":1295447,"invalid":0,"ipv4":6047,"ipv6":224,"ethernet":7582,"raw":0,"null":0,"sll":0,"tcp":5166,"udp":923,"sctp":0,"icmpv4":0,"icmpv6":152,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":170,"max_pkt_size":1514,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":764,"udp":460,"icmpv4":0,"icmpv6":41,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":6605104},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":764,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2288,"synack":1,"rst":2287,"midstream_pickups":0,"pkt_on_wrong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":5,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2031616,"reassembly_memuse":294912},"detect":{"engines":[{"id":0,"last_reload":"2020-03-26T10:16:03.882522+0000","rules_loaded":13659,"rules_failed":0}],"alert":45},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":1,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":3,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"krb5_udp":0,"failed_udp":457},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ftp-data":0,"krb5_tcp":0,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"ntp":3,"tftp":0,"ikev2":0,"krb5_udp":0,"dhcp":0},"expectations":0},"flow_mgr":{"closed_pruned":763,"new_pruned":455,"est_pruned":2,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0}}}  
I am using the emerging threat rule base for my suricata rules. I am confused as to why I did not get an alert in either log file stating the raspbery pi was being attacked.

Leave Your Comment

Leave a Reply

%d bloggers like this: