Project

General

Profile

Actions

Bug #3989

closed

HTTP2: invalid_frame_data anomaly

Added by David Beckett almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Running suricata on the attached pcap gives invalid_frame_data anomalies. The traffic was generated by browsing a news article on yahoo.com

sudo ./suricata -c /etc/suricata/suricata.yaml -v --user=logstash -r ~/invalid_frame_data.pcapng --runmode single -l /tmp/

jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
      1 "stats" 
      2 "flow" 
     14 "anomaly" 
     29 "fileinfo" 
     38 "http" 
cat /tmp/eve.json | grep anomaly                                                                                                                                                                                            
{"timestamp":"2020-09-30T09:20:52.867375-0400","flow_id":407100726516860,"pcap_cnt":53,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":24,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:53.812029-0400","flow_id":407100726516860,"pcap_cnt":59,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":26,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:53.812029-0400","flow_id":407100726516860,"pcap_cnt":59,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":26,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:53.812029-0400","flow_id":407100726516860,"pcap_cnt":59,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":26,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:54.771555-0400","flow_id":407100726516860,"pcap_cnt":63,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":28,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:20:55.817389-0400","flow_id":407100726516860,"pcap_cnt":67,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":30,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:03.756849-0400","flow_id":407100726516860,"pcap_cnt":78,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":34,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:04.798180-0400","flow_id":407100726516860,"pcap_cnt":81,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":35,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:04.972840-0400","flow_id":407100726516860,"pcap_cnt":83,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":36,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}
{"timestamp":"2020-09-30T09:21:05.149931-0400","flow_id":407100726516860,"pcap_cnt":90,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51326,"dest_ip":"69.147.64.34","dest_port":443,"proto":"TCP","tx_id":38,"community_id":"1:kUNClqx6agVbJOT5QdJDywVqYf4=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_frame_data","layer":"proto_parser"}}


Files

invalid_frame_data.pcapng (55.5 KB) invalid_frame_data.pcapng David Beckett, 09/30/2020 01:31 PM
Actions #2

Updated by David Beckett almost 2 years ago

Correct, running off PR 5455, commit 78a8f2

Actions #3

Updated by Philippe Antoine almost 2 years ago

  • Status changed from New to In Review
  • Target version changed from 6.0.1 to 6.0.0
Actions #4

Updated by Philippe Antoine almost 2 years ago

Thanks again David.
You can test the new branch with added commit :-)

Actions #5

Updated by David Beckett almost 2 years ago

Thanks, this is it fixed

Actions #6

Updated by Victor Julien almost 2 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF