Actions
Bug #1435
closedEVE-Log alert payload option loses data
Affected Versions:
Effort:
Difficulty:
Label:
Description
It would seem that EVE-Log alert payload loses data before/during payload->base64 conversion. Below is an excerpt from base64-decoded "image payload". The dots are really dots in the base64 source as well which implies that the information is lost before/during the conversion.
OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,..
Rule used to trigger
alert http any any -> any any (msg:"FILE store all"; filestore; sid:15; rev:1;)
All printable characters seem to be intact and the filestore saves an intact file.
I have attached a pcap that replicates the problem plus the produced EVE-log.
Files
Updated by Antti Tönkyrä almost 10 years ago
And here's the output section regarding EVE-log
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: suricata.eve
types:
- alert:
payload: yes
payload-printable: no
packet: no
http: no
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- http:
extended: yes
- dns
- tls:
extended: yes
- files:
force-magic: no
force-md5: yes
- smtp
- ssh
Updated by Alexander Gozman almost 10 years ago
Right... Data loss occures before base64 conversion because stream data are dumped via PrintStringsToBuffer(). Will think how to fix it.
Updated by Alexander Gozman almost 10 years ago
- Assignee set to Alexander Gozman
- Target version set to 2.1beta4
Updated by Alexander Gozman almost 10 years ago
Attempt to fix the bug: https://github.com/inliniac/suricata/pull/1423
Updated by Alexander Gozman over 9 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Updated by Alexander Gozman over 9 years ago
Updated by Victor Julien over 9 years ago
- Status changed from Resolved to Closed
Actions