Project

General

Profile

Actions

Bug #1526

open

Malformed encoded base64 packet in json logs

Added by Jay MJ over 7 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I have been testing erspan support with git 2.1, rev e583de0 and rev 834c366. I noticed that the encoded base64 packets in the eve log appear to be corrupt, missing the IP header, and containing mostly apparent invalid Ethernet header information. Have not had a chance to test these specific versions without erspan yet, but may in the future (hoping someone else can test this).

Decoded packet fields contain these fields (will provide pcap if requested):
Ether - dst,src,proto type (always strange, unknown values), Raw - load

Looking at the first 50 bytes of the decoded packet field, it does not appear to be an erspan packet (verified also by cutting erspan header length, which completely malforms the pcap).

I also output pcaps from suricata to file (<200 MB each), which does properly work. All pcaps contain erspan header information, and appear normal.

Test box specs:
Running on virtualized esx host
ArchLinux 4.1.4-1 kernel, x86_64
8-core, 16 GB ram
erspan inbound vnic Intel 82545EM


Files

Sample mangled base64 decoded.pcap (110 Bytes) Sample mangled base64 decoded.pcap Sample decoded pcap Jay MJ, 09/16/2015 08:23 AM
Actions

Also available in: Atom PDF