Project

General

Profile

Actions

Bug #7460

open

eve: empty src_ip and dest_ip values may be logged

Added by Jason Ish 10 days ago. Updated 10 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

For events, like IPv4 decode alerts, src_ip and dest_ip, may be logged as empty strings. Additionally, the ports are logged as 0, but this is likely to impact any strict schema checking.

Example:

{
  "timestamp": "2024-12-16T12:29:34.570556-0600",
  "in_iface": "enp10s0",
  "event_type": "alert",
  "src_ip": "",
  "src_port": 0,
  "dest_ip": "",
  "dest_port": 0,
  "proto": "",
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2200003,
    "rev": 2,
    "signature": "SURICATA IPv4 truncated packet",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  }
}

This is not a problem with git master which has this commit: https://github.com/OISF/suricata/commit/a1c6328156f

My recommendation would be to backport that commit as it's a clean cherry-pick and takes care of the ports as well.

It looks like it was introduced to 7.0.8 as part of the fix to #7432.

Actions #1

Updated by Jason Ish 10 days ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Jason Ish
Actions

Also available in: Atom PDF