Project

General

Profile

Actions

Bug #1435

closed

EVE-Log alert payload option loses data

Added by Antti Tönkyrä over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It would seem that EVE-Log alert payload loses data before/during payload->base64 conversion. Below is an excerpt from base64-decoded "image payload". The dots are really dots in the base64 source as well which implies that the information is lost before/during the conversion.

OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,..

Rule used to trigger

alert http any any -> any any (msg:"FILE store all"; filestore; sid:15; rev:1;)

All printable characters seem to be intact and the filestore saves an intact file.

I have attached a pcap that replicates the problem plus the produced EVE-log.


Files

imgtest.pcap (4.25 KB) imgtest.pcap Antti Tönkyrä, 03/30/2015 07:59 AM
suricata.eve (5.67 KB) suricata.eve Antti Tönkyrä, 03/30/2015 08:00 AM
Actions #1

Updated by Antti Tönkyrä over 9 years ago

And here's the output section regarding EVE-log

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: suricata.eve
      types:
        - alert:
            payload: yes
            payload-printable: no
            packet: no
            http: no

            xff:
              enabled: no
              mode: extra-data
              deployment: reverse
              header: X-Forwarded-For
        - http:
            extended: yes
        - dns
        - tls:
            extended: yes
        - files:
            force-magic: no
            force-md5: yes
        - smtp
        - ssh
Actions #2

Updated by Alexander Gozman over 9 years ago

Right... Data loss occures before base64 conversion because stream data are dumped via PrintStringsToBuffer(). Will think how to fix it.

Actions #3

Updated by Alexander Gozman over 9 years ago

  • Assignee set to Alexander Gozman
  • Target version set to 2.1beta4
Actions #5

Updated by Alexander Gozman over 9 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions #7

Updated by Victor Julien over 9 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF