Project

General

Profile

Actions

Bug #5520

closed

If alert status code is 200, some fields are missing

Added by yanal awwad about 2 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Protocol

Description

There is an bug when you make a request that does pop an alert, and it was successful with status code 200. Results In eve.json missing some fields such as status.code , content-type...
I attached a file with the traffic going on. Note: only for status 200.

I forged a fake pcap file with the same scenario, but it doesn't show the alert in fast.log when you analyze it with "suricata -r file.pcap". (Note, however when you are listening on an interface, the alert pops up but with missing json fields)

Steps to reproduce:
Docker image: https://hub.docker.com/r/vulnerables/web-dvwa/
Suricata Alert: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)

1. Use docker image and expose locally.
2. sign in with admin:admin, create a database and then sign in with admin:password
3. go to file upload, upload any small .elf file such as http://timelessname.com/elfbin/ while listening on Docker0 interface.
4. You will see an alert generated, and theres missing fields in eve.json.


Files

message(1).txt (3.36 KB) message(1).txt flow of packets yanal awwad, 08/25/2022 06:58 AM
poc.pcapng (5.15 KB) poc.pcapng forged pcap file yanal awwad, 08/25/2022 07:11 AM
pcapfastlog.png (38.1 KB) pcapfastlog.png yanal awwad, 08/30/2022 05:19 AM
Actions

Also available in: Atom PDF