Bug #2069
openlogging: payload may not represent traffic the generated alert (eve and unified2)
Description
Wrong 'data' binary content is saved to Suricata unified.alert log file if several rules are triggered by the same captured packet
Precondition steps: Latest AV USM AIO 5.X with suricata 3.2
Steps to reproduce:
1. Clean up /var/log/suricata/ dir. Restart suricata
2. Replay malware content in the same network suricate is running:
tcpreplay --topspeed --intf1=eth0 malware.pcap
2. Install idstools to parse unified2 binary packets:
pip install idstools
cp idstools-u2bin /usr/local/bin/idstools-u2bin
cp u2bin.py /usr/local/lib/python2.7/dist-packages/idstools/scripts/u2bin.py
idstools-u2bin suricata3.2_unified2.alert.1489595041 > unified2.bin
3. Get SID list: grep signature-id unified2.bin
4. Examine 'data' binary content in unified2.bin file.
FIRST 4 log records are OK. 'data' binary content really matches rule content
OK:
VirtualUSMAllInOne:~# grep sid:2018644 /etc/suricata/rules/*.rules
VirtualUSMAllInOne:~# grep sid:2000419 /etc/suricata/rules/*.rules
Rest of log records 'data' looks bad
BAD:
VirtualUSMAllInOne:~# grep sid:2008438 /etc/suricata/rules/*.rules
VirtualUSMAllInOne:~# grep sid:2018572 /etc/suricata/rules/*.rules
BAD Content:
sid:2008438
content:"Content-Type|3a| text/plain";
content:"MZ";
content:"PE|00 00|";
sid:2018572
content:"MZ";
content:"PE|00 00|";
sid:2014520
content:"Content-Disposition";
content:"attachment";
content:"MZ";
Actually, the rest of rules are also triggered by windows executable content ('MZ' & 'PE' are .exe markers)
So last 3 records should contain the SAME content as previous 2 records
But looks like wrong binary is written into the unified2 log
Files