Actions
Bug #3354
closedeve-log dns (possibly others) alerts miss metadata for all but first packet
Affected Versions:
Effort:
Difficulty:
Label:
Description
It looks like eve-log alerts are slightly broken/miss metadata for DNS (might affect other protocols too).
I think it is caused by PacketAlertAppend(det_ctx, s, p, 0, alert_flags) call in DetectRulePacketRules which has argument of txid=0 to the appended alert. In my tests it seems to cause the effect that first DNS packet (query) has metadata on alert but response does not.
Ruleset I am using is simply:
alert dns any any -> any any (msg: "test"; sid: 1;)
And the produced EVE-json is
{
"timestamp": "2019-11-18T14:22:35.840789+0200",
"flow_id": 1847130361418837,
"pcap_cnt": 1,
"event_type": "alert",
"src_ip": "100.70.16.62",
"src_port": 50073,
"dest_ip": "1.0.0.1",
"dest_port": 53,
"proto": "UDP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 0,
"signature": "test",
"category": "",
"severity": 3
},
"dns": {
"query": [
{
"type": "query",
"id": 12920,
"rrname": "b.fi",
"rrtype": "A",
"tx_id": 0
}
]
},
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 0,
"bytes_toserver": 64,
"bytes_toclient": 0,
"start": "2019-11-18T14:22:35.840789+0200"
},
"payload": "MngBAAABAAAAAAAAAWICZmkAAAEAAQ==",
"stream": 0
}
{
"timestamp": "2019-11-18T14:22:35.856384+0200",
"flow_id": 1847130361418837,
"pcap_cnt": 2,
"event_type": "alert",
"src_ip": "1.0.0.1",
"src_port": 53,
"dest_ip": "100.70.16.62",
"dest_port": 50073,
"proto": "UDP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 0,
"signature": "test",
"category": "",
"severity": 3
},
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 1,
"bytes_toserver": 64,
"bytes_toclient": 80,
"start": "2019-11-18T14:22:35.840789+0200"
},
"payload": "MniBgAABAAEAAAAAAWICZmkAAAEAAcAMAAEAAQAAJF4ABMKSaho=",
"stream": 0
}
Files
Actions