Actions
Bug #7460
openeve: empty src_ip and dest_ip values may be logged
Affected Versions:
Effort:
Difficulty:
Label:
Description
For events, like IPv4 decode alerts, src_ip
and dest_ip
, may be logged as empty strings. Additionally, the ports are logged as 0
, but this is likely to impact any strict schema checking.
Example:
{ "timestamp": "2024-12-16T12:29:34.570556-0600", "in_iface": "enp10s0", "event_type": "alert", "src_ip": "", "src_port": 0, "dest_ip": "", "dest_port": 0, "proto": "", "pkt_src": "wire/pcap", "alert": { "action": "allowed", "gid": 1, "signature_id": 2200003, "rev": 2, "signature": "SURICATA IPv4 truncated packet", "category": "Generic Protocol Command Decode", "severity": 3 } }
This is not a problem with git master
which has this commit: https://github.com/OISF/suricata/commit/a1c6328156f
My recommendation would be to backport that commit as it's a clean cherry-pick and takes care of the ports as well.
It looks like it was introduced to 7.0.8 as part of the fix to #7432.
Updated by Jason Ish 10 days ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Jason Ish
PR for review: https://github.com/OISF/suricata/pull/12292
Actions