Project

General

Profile

Actions
Copy link

Bug #6860

open

eve/alert: multiple issues for ICMP

Added by Victor Julien 8 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

First issue: src_port and dest_port with value 0 here.

{
  "timestamp": "2021-09-10T05:23:54.591487+0000",
  "flow_id": 570096532935945,
  "pcap_cnt": 1,
  "event_type": "alert",
  "src_ip": "192.168.0.30",
  "src_port": 0,
  "dest_ip": "8.8.8.8",
  "dest_port": 0,
  "proto": "ICMP",
  "icmp_type": 8,
  "icmp_code": 0,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 10211,
    "rev": 0,
    "signature": "drop all packets",
    "category": "",
    "severity": 3
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 98,
    "bytes_toclient": 0,
    "start": "2021-09-10T05:23:54.591487+0000",
    "src_ip": "192.168.0.30",
    "dest_ip": "8.8.8.8" 
  }
}

Second issue:

                if (p->flowflags & FLOW_PKT_TOCLIENT) {
                    jb_set_string(jb, "src_ip", addr.dst_ip);
                    jb_set_string(jb, "dest_ip", addr.src_ip);
                    if (addr.sp > 0) {
                        jb_set_uint(jb, "src_port", addr.dp);
                        jb_set_uint(jb, "dest_port", addr.sp);
                    }
                } else {
                    jb_set_string(jb, "src_ip", addr.src_ip);
                    jb_set_string(jb, "dest_ip", addr.dst_ip);
                    if (addr.sp > 0) {
                        jb_set_uint(jb, "src_port", addr.sp);
                        jb_set_uint(jb, "dest_port", addr.dp);
                    }
                }

Code uses port > 0 to log port, but port 0 is valid even if rare. The check should just look for ipprotos TCP/UDP/SCTP.

No data to display

Actions
Copy link

Also available in: Atom PDF