Bug #5520
closedIf alert status code is 200, some fields are missing
Description
There is an bug when you make a request that does pop an alert, and it was successful with status code 200. Results In eve.json missing some fields such as status.code , content-type...
I attached a file with the traffic going on. Note: only for status 200.
I forged a fake pcap file with the same scenario, but it doesn't show the alert in fast.log when you analyze it with "suricata -r file.pcap". (Note, however when you are listening on an interface, the alert pops up but with missing json fields)
Steps to reproduce:
Docker image: https://hub.docker.com/r/vulnerables/web-dvwa/
Suricata Alert: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)
1. Use docker image and expose locally.
2. sign in with admin:admin, create a database and then sign in with admin:password
3. go to file upload, upload any small .elf file such as http://timelessname.com/elfbin/ while listening on Docker0 interface.
4. You will see an alert generated, and theres missing fields in eve.json.
Files
Updated by Jeff Lucovsky about 2 years ago
I'm not able to generate an alert with the pcap ... can you rebuild the pcap with the actual traffic that causes the alert to appear when listening on an interface?
Updated by yanal awwad about 2 years ago
Jeff Lucovsky wrote in #note-2:
I'm not able to generate an alert with the pcap ... can you rebuild the pcap with the actual traffic that causes the alert to appear when listening on an interface?
add -k none to generate the alert
Updated by Jeff Lucovsky about 2 years ago
I've been using -k none
No alerts are generated with this pcap/rule combination on either master-6.0.x
nor @master@abungay
There are 6 events generated
- http
1
- fileinfo
2
- flow
3
Updated by yanal awwad about 2 years ago
- File pcapfastlog.png pcapfastlog.png added
Weird, with that same pcap file, I generated the alert. And, possibly I think I found out the problems for me
1. I had checksum validation on (so it partially dropped traffic), turning it off helped me.
2. When I upload a big file, the alert will be missing some fields even with checksum validation off.
Updated by Victor Julien about 2 years ago
In general, when matching on request traffic an alert will not contain response fields unless the matching happens late for some reason (like packet loss leading to missed ACKs). The alert will contain whatever metadata that is available at that moment in time.
Updated by Philippe Antoine about 1 year ago
- Status changed from New to Closed
Closing as answered by https://redmine.openinfosecfoundation.org/issues/5520#note-6