Actions
Bug #6405
closedeve: ethernet src_mac should match src_ip
Description
The ethernet IP addresses should match the IP addresses so the user can attribute the IP to the mac address. By that, I mean the src_ip address should correspond to the ether.src_mac and reverse for destination.
I've studied the problem with the pcap from MTA: https://www.malware-traffic-analysis.net/2019/07/05/index.html to try to collect information about the current status.
suricata -l /tmp/ip-ether/ -r ~/Downloads/2019-07-05-Ursnif-with-Trickbot-and-IcedID.pcap -c suricata.yaml
As we can see via the following jq commmand we have multiple association
cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}
In particular for 10.7.5.101:
cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac and .src_ip=="10.7.5.101")|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"} # real mac address of host
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"} # mac address of gw
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"} # mac address of 10.7.5.5
If we add the application layer in the equation, we then can see that it is dependant of it:
cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip, "event_type": .event_type}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"alert"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"fileinfo"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"http"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"krb5"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"tls"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"alert"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"anomaly"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"dhcp"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"http"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"krb5"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"tls"}
Actions