Project

General

Profile

Actions

Bug #3467

closed

Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode

Added by David Wharton almost 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0

Description

Suricata has long supported the "metadata" keyword in rules and since version 4.1, has included the metatdata information in the EVE alert log. This is a very useful feature for alert processing and back-end analysis, and in fact is a critical component of the Suricata implementation of the extremely useful Better Enhanced Teleological and Taxonomic Embedded Rules Schema (BETTER -- https://better-schema.readthedocs.io/). However, it has been observed that when Suricata is reading pcaps via the Socket Control Pcap Processing Mode, the EVE alert data does not include the metadata from the rule.

Tested and verified this unexpected behavior on Suricata 4.0.6; 5.0.0; 5.0.1.

Using attached pcap and following rule from https://raw.githubusercontent.com/secureworks/aristotle/master/examples/example.rules:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Acme - PUZZLED DREAM Malware Communication"; flow:established, to_server; content:"dream"; priority:4; metadata:cwe_id 506,malware pre-infection,hostile dest_ip,created_at 2017-02-19,updated_at 2017-02-26,filename acme.rules,priority info,rule_source acme-rule-factory,attack_target http-client,attack_target client,protocols http,protocols tcp; rev:2; sid:80181240;)

EVE data with Socket Control Pcap Processing Mode :

[
  {
    "timestamp": "2020-02-12T02:58:59.037778+0000",
    "flow_id": 2144771006236119,
    "event_type": "alert",
    "src_ip": "192.168.3.172",
    "src_port": 10127,
    "dest_ip": "172.16.98.186",
    "dest_port": 80,
    "proto": "TCP",
    "alert": {
      "action": "allowed",
      "gid": 1,
      "signature_id": 80181240,
      "rev": 2,
      "signature": "Acme - PUZZLED DREAM Malware Communication",
      "category": "",
      "severity": 4
    },
    "http": {
      "url": "/I+dreamed+a+dream",
      "http_user_agent": "FS",
      "http_method": "GET",
      "protocol": "HTTP/1.1",
      "length": 0
    },
    "app_proto": "http",
    "flow": {
      "pkts_toserver": 3,
      "pkts_toclient": 2,
      "bytes_toserver": 213,
      "bytes_toclient": 108,
      "start": "2020-02-12T02:58:59.034263+0000" 
    }
  }
]

EVE data withOUT Socket Control Pcap Processing Mode (note the alert -> metadata section):

[
  {
    "timestamp": "2020-02-12T02:58:59.037778+0000",
    "flow_id": 1549258758260183,
    "event_type": "alert",
    "src_ip": "192.168.3.172",
    "src_port": 10127,
    "dest_ip": "172.16.98.186",
    "dest_port": 80,
    "proto": "TCP",
    "alert": {
      "action": "allowed",
      "gid": 1,
      "signature_id": 80181240,
      "rev": 2,
      "signature": "Acme - PUZZLED DREAM Malware Communication",
      "category": "",
      "severity": 4,
      "metadata": {
        "protocols": [
          "tcp",
          "http" 
        ],
        "attack_target": [
          "client",
          "http-client" 
        ],
        "rule_source": [
          "acme-rule-factory" 
        ],
        "priority": [
          "info" 
        ],
        "filename": [
          "acme.rules" 
        ],
        "updated_at": [
          "2017-02-26" 
        ],
        "created_at": [
          "2017-02-19" 
        ],
        "hostile": [
          "dest_ip" 
        ],
        "malware": [
          "pre-infection" 
        ],
        "cwe_id": [
          "506" 
        ]
      }
    },
    "http": {
      "url": "/I+dreamed+a+dream",
      "http_user_agent": "FS",
      "http_method": "GET",
      "protocol": "HTTP/1.1",
      "length": 0
    },
    "app_proto": "http",
    "flow": {
      "pkts_toserver": 3,
      "pkts_toclient": 2,
      "bytes_toserver": 213,
      "bytes_toclient": 108,
      "start": "2020-02-12T02:58:59.034263+0000" 
    }
  }
]

Files

example-dream.pcap (425 Bytes) example-dream.pcap referenced pcap David Wharton, 02/12/2020 03:10 AM

Related issues 3 (0 open3 closed)

Has duplicate Suricata - Bug #3523: Suricata does not log alert metadata info when running in unix-socket modeClosedAngelo MirabellaActions
Copied to Suricata - Bug #4196: Alert metadata not present in EVE output when using Socket Control Pcap Processing ModeClosedShivani BhardwajActions
Copied to Suricata - Bug #4197: Alert metadata not present in EVE output when using Socket Control Pcap Processing ModeClosedShivani BhardwajActions
Actions #1

Updated by Victor Julien over 4 years ago

  • Target version set to 6.0.0beta1
Actions #2

Updated by Victor Julien over 4 years ago

  • Has duplicate Bug #3523: Suricata does not log alert metadata info when running in unix-socket mode added
Actions #3

Updated by Victor Julien over 4 years ago

  • Status changed from New to In Review
  • Assignee set to Angelo Mirabella
  • Priority changed from High to Normal
Actions #4

Updated by Victor Julien over 4 years ago

  • Target version changed from 6.0.0beta1 to 6.0.0rc1
Actions #5

Updated by Victor Julien about 4 years ago

  • Target version changed from 6.0.0rc1 to 6.0.0
Actions #6

Updated by Victor Julien about 4 years ago

  • Target version changed from 6.0.0 to 6.0.1
Actions #7

Updated by Victor Julien almost 4 years ago

  • Status changed from In Review to Closed
Actions #8

Updated by Victor Julien almost 4 years ago

  • Label Needs backport to 5.0 added
Actions #9

Updated by Shivani Bhardwaj almost 4 years ago

  • Copied to Bug #4196: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode added
Actions #10

Updated by Shivani Bhardwaj almost 4 years ago

  • Copied to Bug #4197: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode added
Actions

Also available in: Atom PDF