Bug #4196
closedAlert metadata not present in EVE output when using Socket Control Pcap Processing Mode
Description
Suricata has long supported the "metadata" keyword in rules and since version 4.1, has included the metatdata information in the EVE alert log. This is a very useful feature for alert processing and back-end analysis, and in fact is a critical component of the Suricata implementation of the extremely useful Better Enhanced Teleological and Taxonomic Embedded Rules Schema (BETTER -- https://better-schema.readthedocs.io/). However, it has been observed that when Suricata is reading pcaps via the Socket Control Pcap Processing Mode, the EVE alert data does not include the metadata from the rule.
Tested and verified this unexpected behavior on Suricata 4.0.6; 5.0.0; 5.0.1.
Using attached pcap and following rule from https://raw.githubusercontent.com/secureworks/aristotle/master/examples/example.rules:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Acme - PUZZLED DREAM Malware Communication"; flow:established, to_server; content:"dream"; priority:4; metadata:cwe_id 506,malware pre-infection,hostile dest_ip,created_at 2017-02-19,updated_at 2017-02-26,filename acme.rules,priority info,rule_source acme-rule-factory,attack_target http-client,attack_target client,protocols http,protocols tcp; rev:2; sid:80181240;)
EVE data with Socket Control Pcap Processing Mode :
[
{
"timestamp": "2020-02-12T02:58:59.037778+0000",
"flow_id": 2144771006236119,
"event_type": "alert",
"src_ip": "192.168.3.172",
"src_port": 10127,
"dest_ip": "172.16.98.186",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 80181240,
"rev": 2,
"signature": "Acme - PUZZLED DREAM Malware Communication",
"category": "",
"severity": 4
},
"http": {
"url": "/I+dreamed+a+dream",
"http_user_agent": "FS",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http",
"flow": {
"pkts_toserver": 3,
"pkts_toclient": 2,
"bytes_toserver": 213,
"bytes_toclient": 108,
"start": "2020-02-12T02:58:59.034263+0000"
}
}
]
EVE data withOUT Socket Control Pcap Processing Mode (note the alert -> metadata section):
[
{
"timestamp": "2020-02-12T02:58:59.037778+0000",
"flow_id": 1549258758260183,
"event_type": "alert",
"src_ip": "192.168.3.172",
"src_port": 10127,
"dest_ip": "172.16.98.186",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 80181240,
"rev": 2,
"signature": "Acme - PUZZLED DREAM Malware Communication",
"category": "",
"severity": 4,
"metadata": {
"protocols": [
"tcp",
"http"
],
"attack_target": [
"client",
"http-client"
],
"rule_source": [
"acme-rule-factory"
],
"priority": [
"info"
],
"filename": [
"acme.rules"
],
"updated_at": [
"2017-02-26"
],
"created_at": [
"2017-02-19"
],
"hostile": [
"dest_ip"
],
"malware": [
"pre-infection"
],
"cwe_id": [
"506"
]
}
},
"http": {
"url": "/I+dreamed+a+dream",
"http_user_agent": "FS",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http",
"flow": {
"pkts_toserver": 3,
"pkts_toclient": 2,
"bytes_toserver": 213,
"bytes_toclient": 108,
"start": "2020-02-12T02:58:59.034263+0000"
}
}
]
Files