Actions
Bug #3989
closedHTTP2: invalid_frame_data anomaly
Affected Versions:
Effort:
Difficulty:
Label:
Description
Running suricata on the attached pcap gives invalid_frame_data anomalies. The traffic was generated by browsing a news article on yahoo.com
sudo ./suricata -c /etc/suricata/suricata.yaml -v --user=logstash -r ~/invalid_frame_data.pcapng --runmode single -l /tmp/
jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "flow"
14 "anomaly"
29 "fileinfo"
38 "http"
cat /tmp/eve.json | grep anomaly
{"timestamp":"2020-09-30T09:20:52.867375-0400","flow_id":407100726516860,"pcap_cnt":53,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":24,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:53.812029-0400","flow_id":407100726516860,"pcap_cnt":59,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":26,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:53.812029-0400","flow_id":407100726516860,"pcap_cnt":59,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":26,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:53.812029-0400","flow_id":407100726516860,"pcap_cnt":59,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":26,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:54.771555-0400","flow_id":407100726516860,"pcap_cnt":63,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":28,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:55.817389-0400","flow_id":407100726516860,"pcap_cnt":67,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":30,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:04.798180-0400","flow_id":407100726516860,"pcap_cnt":81,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":35,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:04.972840-0400","flow_id":407100726516860,"pcap_cnt":83,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":36,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:05.149931-0400","flow_id":407100726516860,"pcap_cnt":90,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":38,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
Files
Actions