Project

General

Profile

Actions

Bug #3480

open

EVE JSON - Incorrect Packet Logged

Added by Eoin Miller about 4 years ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

In reviewing the contents of the EVE JSON output, we noticed that the value for the key named "packet" was not the value of the packet that matched the rule. In this case, it is the value of the next packet in the flow from the client.

Packet 4:

0000   2c 0b e9 48 aa 7a ac 87 a3 32 ed 91 08 00 45 00   ,..H.z...2....E.
0010   00 e7 00 00 40 00 40 06 00 00 0a 0b 03 17 36 f0   ....@.@.......6.
0020   aa cb e5 b7 00 50 60 d9 81 c4 1c 0f 9b 7e 80 18   .....P`......~..
0030   08 04 ef b6 00 00 01 01 08 0a 41 81 b9 60 0e fb   ..........A..`..
0040   2d f1 50 4f 53 54 20 2f 54 68 69 73 49 73 41 54   -.POST /ThisIsAT
0050   65 73 74 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f   est HTTP/1.1..Ho
0060   73 74 3a 20 72 61 70 69 64 37 2e 63 6f 6d 0d 0a   st: rapid7.com..
0070   55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 72 6c   User-Agent: curl
0080   2f 37 2e 35 34 2e 30 0d 0a 41 63 63 65 70 74 3a   /7.54.0..Accept:
0090   20 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79    */*..Content-Ty
00a0   70 65 3a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78   pe:application/x
00b0   2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63   -www-form-urlenc
00c0   6f 64 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65   oded..Content-Le
00d0   6e 67 74 68 3a 20 32 35 0d 0a 0d 0a 57 68 6f 44   ngth: 25....WhoD
00e0   6f 59 6f 75 53 75 70 70 6f 72 74 3d 55 70 47 61   oYouSupport=UpGa
00f0   6c 77 61 79 21                                    lway!

Packet 7:

0000   2c 0b e9 48 aa 7a ac 87 a3 32 ed 91 08 00 45 00   ,..H.z...2....E.
0010   00 34 00 00 40 00 40 06 00 00 0a 0b 03 17 36 f0   .4..@.@.......6.
0020   aa cb e5 b7 00 50 60 d9 82 77 1c 0f 9d c9 80 10   .....P`..w......
0030   07 fa ef 03 00 00 01 01 08 0a 41 81 b9 81 0e fb   ..........A.....
0040   2d f5                                             -.

eve.json log's value for the key named "packet" matches packet 7 from pcap file:

jq -r '.packet' eve.json  | base64 -D | hexdump -C
00000000  2c 0b e9 48 aa 7a ac 87  a3 32 ed 91 08 00 45 00  |,..H.z...2....E.|
00000010  00 34 00 00 40 00 40 06  00 00 0a 0b 03 17 36 f0  |.4..@.@.......6.|
00000020  aa cb e5 b7 00 50 60 d9  82 77 1c 0f 9d c9 80 10  |.....P`..w......|
00000030  07 fa ef 03 00 00 01 01  08 0a 41 81 b9 81 0e fb  |..........A.....|
00000040  2d f5                                             |-.|
00000042

It is worth noting that the correct packet appears to be in the unified2 output (also attached to ticket).


Files

UpGalway.pcap (1.59 KB) UpGalway.pcap Eoin Miller, 02/14/2020 08:36 PM
eve.json (1.32 KB) eve.json Eoin Miller, 02/14/2020 08:36 PM
unified2.out (329 Bytes) unified2.out Eoin Miller, 02/14/2020 08:37 PM

Related issues 5 (4 open1 closed)

Related to Suricata - Feature #1380: JSON and Unified2 output "payload" does not contain full (or real in the case of Unified2) packets for sessionNewOISF Dev02/09/2015Actions
Related to Suricata - Bug #2429: TCP-session and wrong alert timestamp RejectedOISF DevActions
Related to Suricata - Bug #2069: logging: payload may not represent traffic the generated alert (eve and unified2)AssignedJason IshActions
Related to Suricata - Feature #2281: tcp stream: simpler IDS handling of overlap evasionsAssignedVictor JulienActions
Related to Suricata - Documentation #5690: Document the differences between IPS and IDS mode.NewOISF DevActions
Actions

Also available in: Atom PDF