Suricata

Can you try beta3 or the git master. We've made some changes since beta2.

Victor Julien wrote:

Can you try beta3 or the git master. We've made some changes since beta2.

I can. I'll upgrade our sensors later this afternoon and give an update tomorrow.

Running Suricata-2.1beta3 seems to have cleared up the event merger problem (only about a 1h uptime; I'll update if I see the problem again), but I'm still seeing some strange behavior.

1. Events that trigger off the same packet formats alert 1 properly and then alerts n+1.. with the "alert" KV pair out of order. See the paste below for an example.

{"timestamp":"2015-04-10T10:48:42.309235","flow_id":108311248,"in_iface":"snf0","event_type":"alert","vlan":3740,"src_ip":"<redacted>","src_port":2892,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2016977,"rev":3,"signature":"ET WEB_SERVER allow_url_include PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0},"payload":"<redacted>"","payload_printable":"<redacted>"","stream":1,"packet":"<redacted>""}
{"timestamp":"2015-04-10T10:48:42.309235","flow_id":108311248,"in_iface":"snf0","event_type":"alert","vlan":3740,"src_ip":"<redacted>","src_port":2892,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload":"<redacted>"","payload_printable":"<redacted>"","stream":1,"packet":"<redacted>"","alert":{"action":"allowed","gid":1,"signature_id":2016978,"rev":3,"signature":"ET WEB_SERVER safe_mode PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-10T10:48:42.309235","flow_id":108311248,"in_iface":"snf0","event_type":"alert","vlan":3740,"src_ip":"<redacted>","src_port":2892,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload":"<redacted>"","payload_printable":"<redacted>"","stream":1,"packet":"<redacted>"","alert":{"action":"allowed","gid":1,"signature_id":2016979,"rev":4,"signature":"ET WEB_SERVER suhosin.simulation PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-10T10:48:42.309235","flow_id":108311248,"in_iface":"snf0","event_type":"alert","vlan":3740,"src_ip":"<redacted>","src_port":2892,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload":"<redacted>"","payload_printable":"<redacted>"","stream":1,"packet":"<redacted>"","alert":{"action":"allowed","gid":1,"signature_id":2016980,"rev":5,"signature":"ET WEB_SERVER disable_functions PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-10T10:48:42.309235","flow_id":108311248,"in_iface":"snf0","event_type":"alert","vlan":3740,"src_ip":"<redacted>","src_port":2892,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload":"<redacted>"","payload_printable":"<redacted>"","stream":1,"packet":"<redacted>"","alert":{"action":"allowed","gid":1,"signature_id":2016981,"rev":4,"signature":"ET WEB_SERVER open_basedir PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-10T10:48:42.309235","flow_id":108311248,"in_iface":"snf0","event_type":"alert","vlan":3740,"src_ip":"<redacted>","src_port":2892,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload":"<redacted>"","payload_printable":"<redacted>"","stream":1,"packet":"<redacted>"","alert":{"action":"allowed","gid":1,"signature_id":2016982,"rev":3,"signature":"ET WEB_SERVER auto_prepend_file PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}

2. On a whim, I set "payload: no" and "packet: no" keeping only "payload-printable: yes" enabled. While this did not clear up the out-of-order "alert" KV pair, it did have some other unexpected behavior. The "vlan" and "in_iface" KV pairs disappeared. I'm not sure if this is expected behavior when setting "packet: no", but it seems odd to lose that information. See the paste below for details.

{"timestamp":"2015-04-09T16:00:15.780114","flow_id":125911712,"event_type":"alert","src_ip":"<redacted>","src_port":57572,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2011768,"rev":6,"signature":"ET WEB_SERVER PHP tags in HTTP POST","category":"Web Application Attack","severity":1,"tx_id":0},"payload_printable":"<redacted>"","stream":1}
{"timestamp":"2015-04-09T16:00:15.780114","flow_id":125911712,"event_type":"alert","src_ip":"<redacted>","src_port":57572,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload_printable":"<redacted>"","stream":1,"alert":{"action":"allowed","gid":1,"signature_id":2016977,"rev":3,"signature":"ET WEB_SERVER allow_url_include PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-09T16:00:15.780114","flow_id":125911712,"event_type":"alert","src_ip":"<redacted>","src_port":57572,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload_printable":"<redacted>"","stream":1,"alert":{"action":"allowed","gid":1,"signature_id":2016978,"rev":3,"signature":"ET WEB_SERVER safe_mode PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-09T16:00:15.780114","flow_id":125911712,"event_type":"alert","src_ip":"<redacted>","src_port":57572,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload_printable":"<redacted>"","stream":1,"alert":{"action":"allowed","gid":1,"signature_id":2016979,"rev":4,"signature":"ET WEB_SERVER suhosin.simulation PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-09T16:00:15.780114","flow_id":125911712,"event_type":"alert","src_ip":"<redacted>","src_port":57572,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload_printable":"<redacted>"","stream":1,"alert":{"action":"allowed","gid":1,"signature_id":2016980,"rev":5,"signature":"ET WEB_SERVER disable_functions PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-09T16:00:15.780114","flow_id":125911712,"event_type":"alert","src_ip":"<redacted>","src_port":57572,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload_printable":"<redacted>"","stream":1,"alert":{"action":"allowed","gid":1,"signature_id":2016981,"rev":4,"signature":"ET WEB_SERVER open_basedir PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}
{"timestamp":"2015-04-09T16:00:15.780114","flow_id":125911712,"event_type":"alert","src_ip":"<redacted>","src_port":57572,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload_printable":"<redacted>"","stream":1,"alert":{"action":"allowed","gid":1,"signature_id":2016982,"rev":3,"signature":"ET WEB_SERVER auto_prepend_file PHP config option in uri","category":"A Network Trojan was Detected","severity":1,"tx_id":0}}