Bug #3467
closedAlert metadata not present in EVE output when using Socket Control Pcap Processing Mode
Description
Suricata has long supported the "metadata" keyword in rules and since version 4.1, has included the metatdata information in the EVE alert log. This is a very useful feature for alert processing and back-end analysis, and in fact is a critical component of the Suricata implementation of the extremely useful Better Enhanced Teleological and Taxonomic Embedded Rules Schema (BETTER -- https://better-schema.readthedocs.io/). However, it has been observed that when Suricata is reading pcaps via the Socket Control Pcap Processing Mode, the EVE alert data does not include the metadata from the rule.
Tested and verified this unexpected behavior on Suricata 4.0.6; 5.0.0; 5.0.1.
Using attached pcap and following rule from https://raw.githubusercontent.com/secureworks/aristotle/master/examples/example.rules:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Acme - PUZZLED DREAM Malware Communication"; flow:established, to_server; content:"dream"; priority:4; metadata:cwe_id 506,malware pre-infection,hostile dest_ip,created_at 2017-02-19,updated_at 2017-02-26,filename acme.rules,priority info,rule_source acme-rule-factory,attack_target http-client,attack_target client,protocols http,protocols tcp; rev:2; sid:80181240;)
EVE data with Socket Control Pcap Processing Mode :
[
{
"timestamp": "2020-02-12T02:58:59.037778+0000",
"flow_id": 2144771006236119,
"event_type": "alert",
"src_ip": "192.168.3.172",
"src_port": 10127,
"dest_ip": "172.16.98.186",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 80181240,
"rev": 2,
"signature": "Acme - PUZZLED DREAM Malware Communication",
"category": "",
"severity": 4
},
"http": {
"url": "/I+dreamed+a+dream",
"http_user_agent": "FS",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http",
"flow": {
"pkts_toserver": 3,
"pkts_toclient": 2,
"bytes_toserver": 213,
"bytes_toclient": 108,
"start": "2020-02-12T02:58:59.034263+0000"
}
}
]
EVE data withOUT Socket Control Pcap Processing Mode (note the alert -> metadata section):
[
{
"timestamp": "2020-02-12T02:58:59.037778+0000",
"flow_id": 1549258758260183,
"event_type": "alert",
"src_ip": "192.168.3.172",
"src_port": 10127,
"dest_ip": "172.16.98.186",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 80181240,
"rev": 2,
"signature": "Acme - PUZZLED DREAM Malware Communication",
"category": "",
"severity": 4,
"metadata": {
"protocols": [
"tcp",
"http"
],
"attack_target": [
"client",
"http-client"
],
"rule_source": [
"acme-rule-factory"
],
"priority": [
"info"
],
"filename": [
"acme.rules"
],
"updated_at": [
"2017-02-26"
],
"created_at": [
"2017-02-19"
],
"hostile": [
"dest_ip"
],
"malware": [
"pre-infection"
],
"cwe_id": [
"506"
]
}
},
"http": {
"url": "/I+dreamed+a+dream",
"http_user_agent": "FS",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http",
"flow": {
"pkts_toserver": 3,
"pkts_toclient": 2,
"bytes_toserver": 213,
"bytes_toclient": 108,
"start": "2020-02-12T02:58:59.034263+0000"
}
}
]
Files
Updated by Victor Julien almost 4 years ago
- Has duplicate Bug #3523: Suricata does not log alert metadata info when running in unix-socket mode added
Updated by Victor Julien almost 4 years ago
- Status changed from New to In Review
- Assignee set to Angelo Mirabella
- Priority changed from High to Normal
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.0beta1 to 6.0.0rc1
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.0rc1 to 6.0.0
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.0 to 6.0.1
Updated by Victor Julien over 3 years ago
- Status changed from In Review to Closed
Updated by Shivani Bhardwaj over 3 years ago
- Copied to Bug #4196: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode added
Updated by Shivani Bhardwaj over 3 years ago
- Copied to Bug #4197: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode added