Project

General

Profile

Actions

Bug #5520

closed

If alert status code is 200, some fields are missing

Added by yanal awwad over 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Protocol

Description

There is an bug when you make a request that does pop an alert, and it was successful with status code 200. Results In eve.json missing some fields such as status.code , content-type...
I attached a file with the traffic going on. Note: only for status 200.

I forged a fake pcap file with the same scenario, but it doesn't show the alert in fast.log when you analyze it with "suricata -r file.pcap". (Note, however when you are listening on an interface, the alert pops up but with missing json fields)

Steps to reproduce:
Docker image: https://hub.docker.com/r/vulnerables/web-dvwa/
Suricata Alert: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)

1. Use docker image and expose locally.
2. sign in with admin:admin, create a database and then sign in with admin:password
3. go to file upload, upload any small .elf file such as http://timelessname.com/elfbin/ while listening on Docker0 interface.
4. You will see an alert generated, and theres missing fields in eve.json.


Files

message(1).txt (3.36 KB) message(1).txt flow of packets yanal awwad, 08/25/2022 06:58 AM
poc.pcapng (5.15 KB) poc.pcapng forged pcap file yanal awwad, 08/25/2022 07:11 AM
pcapfastlog.png (38.1 KB) pcapfastlog.png yanal awwad, 08/30/2022 05:19 AM
Actions #1

Updated by Victor Julien over 2 years ago

  • Priority changed from High to Normal
Actions #2

Updated by Jeff Lucovsky over 2 years ago

I'm not able to generate an alert with the pcap ... can you rebuild the pcap with the actual traffic that causes the alert to appear when listening on an interface?

Actions #3

Updated by yanal awwad over 2 years ago

Jeff Lucovsky wrote in #note-2:

I'm not able to generate an alert with the pcap ... can you rebuild the pcap with the actual traffic that causes the alert to appear when listening on an interface?

add -k none to generate the alert

Actions #4

Updated by Jeff Lucovsky over 2 years ago

I've been using -k none

No alerts are generated with this pcap/rule combination on either master-6.0.x nor @master@abungay

There are 6 events generated
- http 1
- fileinfo 2
- flow 3

Actions #5

Updated by yanal awwad over 2 years ago

Weird, with that same pcap file, I generated the alert. And, possibly I think I found out the problems for me
1. I had checksum validation on (so it partially dropped traffic), turning it off helped me.
2. When I upload a big file, the alert will be missing some fields even with checksum validation off.

Actions #6

Updated by Victor Julien over 2 years ago

In general, when matching on request traffic an alert will not contain response fields unless the matching happens late for some reason (like packet loss leading to missed ACKs). The alert will contain whatever metadata that is available at that moment in time.

Actions #7

Updated by yanal awwad over 2 years ago

Yeah, I see
thanks

Actions #8

Updated by Philippe Antoine about 1 year ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF