Project

General

Profile

Actions

Bug #3467

closed

Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode

Added by David Wharton almost 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0

Description

Suricata has long supported the "metadata" keyword in rules and since version 4.1, has included the metatdata information in the EVE alert log. This is a very useful feature for alert processing and back-end analysis, and in fact is a critical component of the Suricata implementation of the extremely useful Better Enhanced Teleological and Taxonomic Embedded Rules Schema (BETTER -- https://better-schema.readthedocs.io/). However, it has been observed that when Suricata is reading pcaps via the Socket Control Pcap Processing Mode, the EVE alert data does not include the metadata from the rule.

Tested and verified this unexpected behavior on Suricata 4.0.6; 5.0.0; 5.0.1.

Using attached pcap and following rule from https://raw.githubusercontent.com/secureworks/aristotle/master/examples/example.rules:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Acme - PUZZLED DREAM Malware Communication"; flow:established, to_server; content:"dream"; priority:4; metadata:cwe_id 506,malware pre-infection,hostile dest_ip,created_at 2017-02-19,updated_at 2017-02-26,filename acme.rules,priority info,rule_source acme-rule-factory,attack_target http-client,attack_target client,protocols http,protocols tcp; rev:2; sid:80181240;)

EVE data with Socket Control Pcap Processing Mode :

[
  {
    "timestamp": "2020-02-12T02:58:59.037778+0000",
    "flow_id": 2144771006236119,
    "event_type": "alert",
    "src_ip": "192.168.3.172",
    "src_port": 10127,
    "dest_ip": "172.16.98.186",
    "dest_port": 80,
    "proto": "TCP",
    "alert": {
      "action": "allowed",
      "gid": 1,
      "signature_id": 80181240,
      "rev": 2,
      "signature": "Acme - PUZZLED DREAM Malware Communication",
      "category": "",
      "severity": 4
    },
    "http": {
      "url": "/I+dreamed+a+dream",
      "http_user_agent": "FS",
      "http_method": "GET",
      "protocol": "HTTP/1.1",
      "length": 0
    },
    "app_proto": "http",
    "flow": {
      "pkts_toserver": 3,
      "pkts_toclient": 2,
      "bytes_toserver": 213,
      "bytes_toclient": 108,
      "start": "2020-02-12T02:58:59.034263+0000" 
    }
  }
]

EVE data withOUT Socket Control Pcap Processing Mode (note the alert -> metadata section):

[
  {
    "timestamp": "2020-02-12T02:58:59.037778+0000",
    "flow_id": 1549258758260183,
    "event_type": "alert",
    "src_ip": "192.168.3.172",
    "src_port": 10127,
    "dest_ip": "172.16.98.186",
    "dest_port": 80,
    "proto": "TCP",
    "alert": {
      "action": "allowed",
      "gid": 1,
      "signature_id": 80181240,
      "rev": 2,
      "signature": "Acme - PUZZLED DREAM Malware Communication",
      "category": "",
      "severity": 4,
      "metadata": {
        "protocols": [
          "tcp",
          "http" 
        ],
        "attack_target": [
          "client",
          "http-client" 
        ],
        "rule_source": [
          "acme-rule-factory" 
        ],
        "priority": [
          "info" 
        ],
        "filename": [
          "acme.rules" 
        ],
        "updated_at": [
          "2017-02-26" 
        ],
        "created_at": [
          "2017-02-19" 
        ],
        "hostile": [
          "dest_ip" 
        ],
        "malware": [
          "pre-infection" 
        ],
        "cwe_id": [
          "506" 
        ]
      }
    },
    "http": {
      "url": "/I+dreamed+a+dream",
      "http_user_agent": "FS",
      "http_method": "GET",
      "protocol": "HTTP/1.1",
      "length": 0
    },
    "app_proto": "http",
    "flow": {
      "pkts_toserver": 3,
      "pkts_toclient": 2,
      "bytes_toserver": 213,
      "bytes_toclient": 108,
      "start": "2020-02-12T02:58:59.034263+0000" 
    }
  }
]

Files

example-dream.pcap (425 Bytes) example-dream.pcap referenced pcap David Wharton, 02/12/2020 03:10 AM

Related issues 3 (0 open3 closed)

Has duplicate Suricata - Bug #3523: Suricata does not log alert metadata info when running in unix-socket modeClosedAngelo MirabellaActions
Copied to Suricata - Bug #4196: Alert metadata not present in EVE output when using Socket Control Pcap Processing ModeClosedShivani BhardwajActions
Copied to Suricata - Bug #4197: Alert metadata not present in EVE output when using Socket Control Pcap Processing ModeClosedShivani BhardwajActions
Actions

Also available in: Atom PDF