Actions
Bug #1435
closedEVE-Log alert payload option loses data
Affected Versions:
Effort:
Difficulty:
Label:
Description
It would seem that EVE-Log alert payload loses data before/during payload->base64 conversion. Below is an excerpt from base64-decoded "image payload". The dots are really dots in the base64 source as well which implies that the information is lost before/during the conversion.
OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,..
Rule used to trigger
alert http any any -> any any (msg:"FILE store all"; filestore; sid:15; rev:1;)
All printable characters seem to be intact and the filestore saves an intact file.
I have attached a pcap that replicates the problem plus the produced EVE-log.
Files
Updated by Antti Tönkyrä over 9 years ago
And here's the output section regarding EVE-log
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: suricata.eve
types:
- alert:
payload: yes
payload-printable: no
packet: no
http: no
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- http:
extended: yes
- dns
- tls:
extended: yes
- files:
force-magic: no
force-md5: yes
- smtp
- ssh
Updated by Alexander Gozman over 9 years ago
Right... Data loss occures before base64 conversion because stream data are dumped via PrintStringsToBuffer(). Will think how to fix it.
Updated by Alexander Gozman over 9 years ago
- Assignee set to Alexander Gozman
- Target version set to 2.1beta4
Updated by Alexander Gozman over 9 years ago
Attempt to fix the bug: https://github.com/inliniac/suricata/pull/1423
Updated by Alexander Gozman over 9 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Updated by Alexander Gozman over 9 years ago
Updated by Victor Julien over 9 years ago
- Status changed from Resolved to Closed
Actions