Project

General

Profile

Actions

Bug #1523

closed

Decoded base64 payload short by 16 characters

Added by Dan Wallmeyer over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

While comparing the decoded alert playload from EVE log and alert debug log data I have noticed that the decoded EVE base64 payload is short by 16 characters and there is non-printable hex at the beginning of the decoded data.

To generate an example of this issue I used the pcap at, http://www.malware-traffic-analysis.net/2015/07/31/2015-07-31-Angler-EK-and-CryptoWall-3.0.pcap, to generate the traffic and sid 2018452 to generate the alerts. EVE, alert-debug, and suricata log data have been included in the attached tar file.

Kernel:
Linux suri 3.2.0-4-amd64 1 SMP Debian 3.2.65-1+deb7u1 x86_64 GNU/Linux

Debian version:
7.8

Suricata build info:

This is Suricata version 2.1beta4 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS
SIMD support: SSE_3
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.7.2, C version 199901
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.17, linked against LibHTP v0.5.17

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no


Files

log-data.tar (110 KB) log-data.tar log data and yaml config file Dan Wallmeyer, 08/05/2015 09:10 AM
Actions #1

Updated by Peter Manev over 7 years ago

I think this is fixed in the git master by this commit -
https://github.com/inliniac/suricata/commit/3aa58f25ad51a68b57946f06a2423a26e41400c8
Can you please give it a try and confirm if that is the case in your particular scenario?

Actions #2

Updated by Dan Wallmeyer over 7 years ago

Peter you are correct. Issue is fixed. Thanks.

Actions #3

Updated by Peter Manev over 7 years ago

  • Status changed from New to Closed

Thank you for the confirmation.

Actions #4

Updated by Victor Julien over 7 years ago

  • Assignee set to Victor Julien
  • Target version set to 3.0RC1
Actions

Also available in: Atom PDF