Project

General

Profile

Actions

Bug #2623

closed

Missing http.status information in eve.log according to tcp packets.

Added by dahan han about 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

http.status is not checked intermittently in eve.log with event_type of alert.

In the case where the status code is not left, there is a common point that the FIN packet is terminated without terminating the ACK packet from the client to the server at the end.
Also, if the status code is not left in eve.log, the http.length value becomes 0, and the http_content_type and http.status values are not output.

pcap-1) Case without http.status and http.length (event_type: alert)
1 0.000000 172.16.11.111 → 216.239.34.21 TCP 66 3823 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
2 0.064806 216.239.34.21 → 172.16.11.111 TCP 66 80 → 3823 [SYN, ACK] Seq=0 Ack=1 Win=60720 Len=0 MSS=1380 SACK_PERM=1 WS=256
3 0.065170 172.16.11.111 → 216.239.34.21 TCP 60 3823 → 80 [ACK] Seq=1 Ack=1 Win=66048 Len=0
4 0.077885 172.16.11.111 → 216.239.34.21 HTTP 104 GET /ip HTTP/1.1
5 0.142290 216.239.34.21 → 172.16.11.111 TCP 60 80 → 3823 [ACK] Seq=1 Ack=51 Win=60928 Len=0
6 0.305146 216.239.34.21 → 172.16.11.111 HTTP 339 HTTP/1.1 200 OK (text/html)
7 0.305678 172.16.11.111 → 216.239.34.21 TCP 60 3823 → 80 [FIN, ACK] Seq=51 Ack=286 Win=65792 Len=0
8 0.369924 216.239.34.21 → 172.16.11.111 TCP 60 80 → 3823 [FIN, ACK] Seq=286 Ack=52 Win=60928 Len=0
9 0.370227 172.16.11.111 → 216.239.34.21 TCP 60 3823 → 80 [ACK] Seq=52 Ack=287 Win=65792 Len=0
pcap-1 - eve.log)
"event_type": "alert",
"http": {
"hostname": "ipinfo.io",
"url": "\/ip",
"http_method": "GET",
"protocol": "HTTP\/1.1",
"length": 0
},

pcap-2) Case where http.status and http.length exist. (event_type: alert)
1 0.000000 172.20.11.11 → 216.239.38.21 TCP 62 49382 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
2 0.064720 216.239.38.21 → 172.20.11.11 TCP 62 80 → 49382 [SYN, ACK] Seq=0 Ack=1 Win=60720 Len=0 MSS=1380 SACK_PERM=1
3 0.065120 172.20.11.11 → 216.239.38.21 TCP 60 49382 → 80 [ACK] Seq=1 Ack=1 Win=64860 Len=0
4 0.066075 172.20.11.11 → 216.239.38.21 HTTP 104 GET /ip HTTP/1.1
5 0.130564 216.239.38.21 → 172.20.11.11 TCP 60 80 → 49382 [ACK] Seq=1 Ack=51 Win=60720 Len=0
6 0.289601 216.239.38.21 → 172.20.11.11 HTTP 340 HTTP/1.1 200 OK (text/html)
7 0.289868 172.20.11.11 → 216.239.38.21 TCP 60 49382 → 80 [ACK] Seq=51 Ack=287 Win=64574 Len=0
8 0.289872 172.20.11.11 → 216.239.38.21 TCP 60 49382 → 80 [FIN, ACK] Seq=51 Ack=287 Win=64574 Len=0
9 0.354268 216.239.38.21 → 172.20.11.11 TCP 60 80 → 49382 [FIN, ACK] Seq=287 Ack=52 Win=60720 Len=0
10 0.354615 172.20.11.11 → 216.239.38.21 TCP 60 49382 → 80 [ACK] Seq=52 Ack=288 Win=64574 Len=0
pcap-2 - eve.log)
"event_type": "alert",
"http": {
"hostname": "ipinfo.io",
"url": "\/ip",
"http_content_type": "text\/html",
"http_method": "GET",
"protocol": "HTTP\/1.1",
"status": 200,
"length": 16
},

However, if event_type is http, both pcap can check http.status and http.length.

"event_type": "http",
"http": {
"hostname": "ipinfo.io",
"url": "\/ip",
"http_content_type": "text\/html",
"http_method": "GET",
"protocol": "HTTP\/1.1",
"status": 200,
"length": 16
}

Test Environment)
suricata version: 4.0.5, 4.0.4
eve.log Setting of suricata.yaml
types:
- alert:
payload: yes
payload-buffer-size: 4kb
payload-printable: yes
http: yes
http-body-printable: yes


Files

normal.pcap (1.09 KB) normal.pcap jaeik Cho, 10/05/2018 01:52 AM
abnormal.pcap (1.02 KB) abnormal.pcap jaeik Cho, 10/05/2018 01:52 AM
Actions

Also available in: Atom PDF