Project

General

Profile

Actions

Bug #2069

open

logging: payload may not represent traffic the generated alert (eve and unified2)

Added by alienvault alienvault almost 8 years ago. Updated over 4 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Wrong 'data' binary content is saved to Suricata unified.alert log file if several rules are triggered by the same captured packet

Precondition steps: Latest AV USM AIO 5.X with suricata 3.2

Steps to reproduce:

1. Clean up /var/log/suricata/ dir. Restart suricata

2. Replay malware content in the same network suricate is running:
tcpreplay --topspeed --intf1=eth0 malware.pcap

2. Install idstools to parse unified2 binary packets:
pip install idstools
cp idstools-u2bin /usr/local/bin/idstools-u2bin
cp u2bin.py /usr/local/lib/python2.7/dist-packages/idstools/scripts/u2bin.py

idstools-u2bin suricata3.2_unified2.alert.1489595041 > unified2.bin

3. Get SID list: grep signature-id unified2.bin

4. Examine 'data' binary content in unified2.bin file.
FIRST 4 log records are OK. 'data' binary content really matches rule content
OK:
VirtualUSMAllInOne:~# grep sid:2018644 /etc/suricata/rules/*.rules
VirtualUSMAllInOne:~# grep sid:2000419 /etc/suricata/rules/*.rules

Rest of log records 'data' looks bad
BAD:
VirtualUSMAllInOne:~# grep sid:2008438 /etc/suricata/rules/*.rules
VirtualUSMAllInOne:~# grep sid:2018572 /etc/suricata/rules/*.rules

BAD Content:
sid:2008438
content:"Content-Type|3a| text/plain";
content:"MZ";
content:"PE|00 00|";

sid:2018572
content:"MZ";
content:"PE|00 00|";

sid:2014520
content:"Content-Disposition";
content:"attachment";
content:"MZ";

Actually, the rest of rules are also triggered by windows executable content ('MZ' & 'PE' are .exe markers)
So last 3 records should contain the SAME content as previous 2 records
But looks like wrong binary is written into the unified2 log


Files

idstools-u2bin (228 Bytes) idstools-u2bin alienvault alienvault, 03/24/2017 07:55 AM
suricata3.2_unified2.alert.1489595041 (15.4 KB) suricata3.2_unified2.alert.1489595041 alienvault alienvault, 03/24/2017 07:55 AM
u2bin.py (6.42 KB) u2bin.py alienvault alienvault, 03/24/2017 07:55 AM
malware.pcap (185 KB) malware.pcap alienvault alienvault, 03/24/2017 07:55 AM
unified2.bin (50.7 KB) unified2.bin alienvault alienvault, 03/24/2017 07:55 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3480: EVE JSON - Incorrect Packet LoggedNewOISF DevActions
Actions

Also available in: Atom PDF