Bug #1435: EVE-Log alert payload option loses data - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1435

closed

EVE-Log alert payload option loses data

Added by Antti Tönkyrä over 9 years ago. Updated over 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Alexander Gozman

Target version:

2.1beta4

Affected Versions:

Effort:

Difficulty:

Label:

Description

It would seem that EVE-Log alert payload loses data before/during payload->base64 conversion. Below is an excerpt from base64-decoded "image payload". The dots are really dots in the base64 source as well which implies that the information is lost before/during the conversion.

OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,..

Rule used to trigger

alert http any any -> any any (msg:"FILE store all"; filestore; sid:15; rev:1;)

All printable characters seem to be intact and the filestore saves an intact file.

I have attached a pcap that replicates the problem plus the produced EVE-log.

Files

Download all files

imgtest.pcap (4.25 KB) imgtest.pcap		Antti Tönkyrä, 03/30/2015 07:59 AM
suricata.eve (5.67 KB) suricata.eve		Antti Tönkyrä, 03/30/2015 08:00 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1435

EVE-Log alert payload option loses data

Updated by Antti Tönkyrä over 9 years ago

Updated by Alexander Gozman over 9 years ago

Updated by Alexander Gozman over 9 years ago

Updated by Alexander Gozman over 9 years ago

Updated by Alexander Gozman over 9 years ago

Updated by Alexander Gozman over 9 years ago

Updated by Victor Julien over 9 years ago