Actions
Bug #5486
openEthernet metadata is missing for some protocols or parts of a protocol
Affected Versions:
Effort:
Difficulty:
Label:
Description
We discovered that the `ether` output was missing on some traffic, with the pcap 2019-02-15-Emotet-with-IcedID-and-Trickbot.pcap from traffic malware analysis we were able to strip it down to some single flow cases.
To reproduce it, simply run one of the 3 pcaps with Suricata 6.0.6 and the `-r` or use a `dummy` interface.
In the 154.pcap we can see that it is empty for the http event but not for the flow and it it's completely missing for fileinfo, http output as an example:
{
"timestamp": "2019-02-15T19:29:41.539954+0100",
"flow_id": 183210505223474,
"event_type": "http",
"src_ip": "172.16.10.97",
"src_port": 49910,
"dest_ip": "70.184.86.103",
"dest_port": 8080,
"proto": "TCP",
"tx_id": 0,
"ether": {},
"http": {
"hostname": "70.184.86.103",
"http_port": 8080,
"url": "/",
"http_user_agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"http_content_type": "text/html",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 135041
}
}
In the 136.pcap with smb traffic we can see it is seen in the flow but not on all packets. See it in the first example to be present and in the second emtpy:
{
"timestamp": "2019-02-15T19:26:50.118392+0100",
"flow_id": 556954253130233,
"pcap_cnt": 63,
"event_type": "anomaly",
"src_ip": "172.16.10.2",
"src_port": 445,
"dest_ip": "172.16.10.97",
"dest_port": 49892,
"proto": "TCP",
"tx_id": 16,
"ether": {
"src_mac": "00:08:02:1c:47:ae",
"dest_mac": "a4:1f:72:c2:09:6a"
},
"anomaly": {
"app_proto": "smb",
"type": "applayer",
"event": "malformed_data",
"layer": "proto_parser"
}
}
{
"timestamp": "2019-02-15T19:26:49.915961+0100",
"flow_id": 556954253130233,
"event_type": "smb",
"src_ip": "172.16.10.97",
"src_port": 49892,
"dest_ip": "172.16.10.2",
"dest_port": 445,
"proto": "TCP",
"smb": {
"id": 9,
"dialect": "NT LM 0.12",
"command": "161",
"session_id": 2051,
"tree_id": 4100
},
"ether": {}
}
In the 126.pcap with dcerpc ether is missing from the event type, but seen in the flow event:
{
"timestamp": "2019-02-15T19:26:38.567904+0100",
"flow_id": 1709083524481263,
"pcap_cnt": 7,
"event_type": "dcerpc",
"src_ip": "172.16.10.97",
"src_port": 49801,
"dest_ip": "172.16.10.2",
"dest_port": 135,
"proto": "TCP",
"dcerpc": {
"request": "REQUEST",
"req": {
"opnum": 3,
"frag_cnt": 1,
"stub_data_size": 144
},
"response": "RESPONSE",
"res": {
"frag_cnt": 1,
"stub_data_size": 252
},
"call_id": 2,
"rpc_version": "5.0"
}
}
{
"timestamp": "2019-02-15T19:26:38.344303+0100",
"flow_id": 1709083524481263,
"event_type": "flow",
"src_ip": "172.16.10.97",
"src_port": 49801,
"dest_ip": "172.16.10.2",
"dest_port": 135,
"proto": "TCP",
"app_proto": "dcerpc",
"flow": {
"pkts_toserver": 6,
"pkts_toclient": 5,
"bytes_toserver": 664,
"bytes_toclient": 658,
"start": "2019-02-15T19:26:38.344303+0100",
"end": "2019-02-15T19:26:53.367110+0100",
"age": 15,
"state": "closed",
"reason": "shutdown",
"alerted": false
},
"ether": {
"dest_macs": [
"a4:1f:72:c2:09:6a"
],
"src_macs": [
"00:08:02:1c:47:ae"
]
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "1b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "closed"
}
}
Files
Actions