Project

General

Profile

Actions

Bug #5486

open

Ethernet metadata is missing for some protocols or parts of a protocol

Added by Andreas Herz over 2 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

We discovered that the `ether` output was missing on some traffic, with the pcap 2019-02-15-Emotet-with-IcedID-and-Trickbot.pcap from traffic malware analysis we were able to strip it down to some single flow cases.

To reproduce it, simply run one of the 3 pcaps with Suricata 6.0.6 and the `-r` or use a `dummy` interface.

In the 154.pcap we can see that it is empty for the http event but not for the flow and it it's completely missing for fileinfo, http output as an example:

{
  "timestamp": "2019-02-15T19:29:41.539954+0100",
  "flow_id": 183210505223474,
  "event_type": "http",
  "src_ip": "172.16.10.97",
  "src_port": 49910,
  "dest_ip": "70.184.86.103",
  "dest_port": 8080,
  "proto": "TCP",
  "tx_id": 0,
  "ether": {},
  "http": {
    "hostname": "70.184.86.103",
    "http_port": 8080,
    "url": "/",
    "http_user_agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "http_content_type": "text/html",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "length": 135041
  }
}

In the 136.pcap with smb traffic we can see it is seen in the flow but not on all packets. See it in the first example to be present and in the second emtpy:

{
  "timestamp": "2019-02-15T19:26:50.118392+0100",
  "flow_id": 556954253130233,
  "pcap_cnt": 63,
  "event_type": "anomaly",
  "src_ip": "172.16.10.2",
  "src_port": 445,
  "dest_ip": "172.16.10.97",
  "dest_port": 49892,
  "proto": "TCP",
  "tx_id": 16,
  "ether": {
    "src_mac": "00:08:02:1c:47:ae",
    "dest_mac": "a4:1f:72:c2:09:6a" 
  },
  "anomaly": {
    "app_proto": "smb",
    "type": "applayer",
    "event": "malformed_data",
    "layer": "proto_parser" 
  }
}
{
  "timestamp": "2019-02-15T19:26:49.915961+0100",
  "flow_id": 556954253130233,
  "event_type": "smb",
  "src_ip": "172.16.10.97",
  "src_port": 49892,
  "dest_ip": "172.16.10.2",
  "dest_port": 445,
  "proto": "TCP",
  "smb": {
    "id": 9,
    "dialect": "NT LM 0.12",
    "command": "161",
    "session_id": 2051,
    "tree_id": 4100
  },
  "ether": {}
}

In the 126.pcap with dcerpc ether is missing from the event type, but seen in the flow event:

{
  "timestamp": "2019-02-15T19:26:38.567904+0100",
  "flow_id": 1709083524481263,
  "pcap_cnt": 7,
  "event_type": "dcerpc",
  "src_ip": "172.16.10.97",
  "src_port": 49801,
  "dest_ip": "172.16.10.2",
  "dest_port": 135,
  "proto": "TCP",
  "dcerpc": {
    "request": "REQUEST",
    "req": {
      "opnum": 3,
      "frag_cnt": 1,
      "stub_data_size": 144
    },
    "response": "RESPONSE",
    "res": {
      "frag_cnt": 1,
      "stub_data_size": 252
    },
    "call_id": 2,
    "rpc_version": "5.0" 
  }
}
{
  "timestamp": "2019-02-15T19:26:38.344303+0100",
  "flow_id": 1709083524481263,
  "event_type": "flow",
  "src_ip": "172.16.10.97",
  "src_port": 49801,
  "dest_ip": "172.16.10.2",
  "dest_port": 135,
  "proto": "TCP",
  "app_proto": "dcerpc",
  "flow": {
    "pkts_toserver": 6,
    "pkts_toclient": 5,
    "bytes_toserver": 664,
    "bytes_toclient": 658,
    "start": "2019-02-15T19:26:38.344303+0100",
    "end": "2019-02-15T19:26:53.367110+0100",
    "age": 15,
    "state": "closed",
    "reason": "shutdown",
    "alerted": false
  },
  "ether": {
    "dest_macs": [
      "a4:1f:72:c2:09:6a" 
    ],
    "src_macs": [
      "00:08:02:1c:47:ae" 
    ]
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "1b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "closed" 
  }
}


Files

126.pcap (1.49 KB) 126.pcap Andreas Herz, 08/08/2022 11:44 AM
136.pcap (28.6 KB) 136.pcap Andreas Herz, 08/08/2022 11:44 AM
154.pcap (147 KB) 154.pcap Andreas Herz, 08/08/2022 11:44 AM
suricata.yaml (73.1 KB) suricata.yaml Raj S, 03/23/2023 12:04 PM
buildinfo.txt (3.87 KB) buildinfo.txt Raj S, 03/23/2023 12:05 PM
Actions

Also available in: Atom PDF