Actions
Bug #1536
closedeve log alert
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
In eve log sometimes (random?) it lacks the object http or voice payload_printable while showing it as alert.
Tested version 2.1beta4 and git master.
Actual result:
{
"timestamp": "2015-09-02T16:52:21.795878+0200",
"flow_id": 29637168,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "xxx.xxx.xxx.xxx",
"src_port": 43512,
"dest_ip": "xxx.xxx.xxx.xxx",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 940000006,
"rev": 5,
"signature": "xxx",
"category": "xxx",
"severity": 1,
"tx_id": 0
},
"payload_printable": "GET /......",
"stream": 1
}
or
{
"timestamp": "2015-09-02T16:52:21.795878+0200",
"flow_id": 29637168,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "xxx.xxx.xxx.xxx",
"src_port": 43512,
"dest_ip": "xxx.xxx.xxx.xxx",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 940000006,
"rev": 5,
"signature": "xxx",
"category": "xxx",
"severity": 1,
"tx_id": 0
},
"stream": 1
}
Expected result:
{
"timestamp": "2015-09-02T16:52:21.795878+0200",
"flow_id": 29637168,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "xxx.xxx.xxx.xxx",
"src_port": 43512,
"dest_ip": "xxx.xxx.xxx.xxx",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 940000006,
"rev": 5,
"signature": "xxx",
"category": "xxx",
"severity": 1,
"tx_id": 0
},
"http": {
"hostname": "www.xxx.xxx",
"url": "/.....",
"http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36\tChrome 35.0",
"http_content_type": "image/gif",
"http_refer": "http://xxx.yyy/",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 35
},
"payload_printable": "GET /......",
"stream": 1
}
eve log configuration:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream
filename: eve.json
types:
- alert:
# payload: yes # enable dumping payload in Base64
payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
http: yes # enable dumping of http fields
# tls: yes # enable dumping of tls fields
# ssh: yes # enable dumping of ssh fields
xff:
enabled: no
mode: extra-data
deployment: reverse
Actions