Suricata seeing connection but not decoding

[cyberfarmer-colin]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

10

RAM

32

Storage for /

314

Storage for /nsm

747

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Suricata is getting all connection logs from my network to destination port 80 but doesn't seem to be able to decode that into http logs. I've confirmed seen below that the packets are reaching bond0 with their data

In Hunt I can see the net conns on port 80 to example.com just fine

But looking in http logs returns nothing

Not exactly sure what I'm missing here, even turned off checksum validation for Suricata in case there was something funky on the wire there but that had no effect. Notably it appears like other protocol decoding is having issues as well, as SSL only has data for a few internal services and not all the external sites it should see. But simpler protocols like DHCP and DNS appear to be fine.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Looking at your tcpdump screenshot, it appears that you are seeing outbound traffic but not return traffic. Please check your tap or span port to make sure you are seeing the entire TCP stream.

[cyberfarmer-colin]

I appreciate the sanity check on that but it appears that that was just because my tcpdump bpf was too restrictive. If I make it src port 80 AND dst port 80 it properly captures the whole flow

[dougburks]

Does your traffic have VLAN tags? What is the output of the following?

sudo tcpdump -evvv -ibond0 port 80

[cyberfarmer-colin]

Well talk about egg on my face, that helped me fix it. I have a bunch of untagged vlans, combined with the way my span port was configured, it picked the untagged traffic to mirror for the endpoint -> firewall flow rather than the tagged. A quick config change there and I'm right as rain. Thank you so much for the help on this, guess I need to brush up a bit on my networking knowledge.

[dougburks]

Glad you got it working. I recently added some VLAN information to our docs which might help others in the future:
Security-Onion-Solutions/securityonion-docs@61678de