Actions
Bug #7199
closeddetect: missing app-layer metadata in alerts
Affected Versions:
Effort:
Difficulty:
Label:
Description
After upgrading from Suricata 6 to 7, alerts in the eve JSON output no longer seem to include app-layer metadata.
This is what we use to have:
{ "timestamp": "2023-03-09T20:00:28.210821+0000", "flow_id": 627175734391745, "in_iface": "antrea-l7-tap0", "event_type": "alert", "vlan": [ 1 ], "src_ip": "10.10.1.5", "src_port": 43352, "dest_ip": "10.10.1.4", "dest_port": 80, "proto": "TCP", "alert": { "action": "blocked", "gid": 1, "signature_id": 1, "rev": 0, "signature": "Reject by AntreaClusterNetworkPolicy:test-l7-ingress", "category": "", "severity": 3, "tenant_id": 1 }, "http": { "hostname": "10.10.1.4", "url": "/admin", "http_user_agent": "curl/7.74.0", "http_method": "GET", "protocol": "HTTP/1.1", "length": 0 }, "app_proto": "http", "flow": { "pkts_toserver": 3, "pkts_toclient": 1, "bytes_toserver": 284, "bytes_toclient": 74, "start": "2023-03-09T20:00:28.209857+0000" } }
This is what we have now with Suricata 7.0.6:
{ "timestamp": "2024-08-26T22:19:16.005590+0000", "flow_id": 1147586615954996, "in_iface": "antrea-l7-tap0", "event_type": "alert", "vlan": [ 1 ], "src_ip": "10.10.1.9", "src_port": 54728, "dest_ip": "10.10.1.10", "dest_port": 80, "proto": "TCP", "pkt_src": "wire/pcap", "tenant_id": 1, "alert": { "action": "blocked", "gid": 1, "signature_id": 1, "rev": 0, "signature": "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2", "category": "", "severity": 3, "tenant_id": 1 }, "app_proto": "http", "direction": "to_server", "flow": { "pkts_toserver": 3, "pkts_toclient": 1, "bytes_toserver": 302, "bytes_toclient": 78, "start": "2024-08-26T22:19:16.005049+0000", "src_ip": "10.10.1.9", "dest_ip": "10.10.1.10", "src_port": 54728, "dest_port": 80 } }
The first output was captured with Suricata 6 a while back, but the rules were essentially the same. These are the rules I am using now:
reject ip any any -> any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;) pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;)
And this is the relevant part of the config:
%YAML 1.1
---
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve-%Y-%m-%d.json
rotate-interval: day
pcap-file: false
community-id: false
community-id-seed: 0
xff:
enabled: no
types:
- alert:
tagged-packets: yes
- http:
extended: yes
tagged-packets: yes
- tls:
extended: yes
It seems to me that this change, which was not backported to 6, is responsible: https://github.com/OISF/suricata/pull/10876/files, as it added an extra condition for logging app-layer data.
I am assuming that even though the action is "blocked", the expectation is that http data can still be logged here (with the default `metadata` configuration for alerts).
Actions