https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022023-01-25T17:33:41ZOpen Information Security FoundationSuricata - Bug #5814: smb: duplicate interface fields loggedhttps://redmine.openinfosecfoundation.org/issues/5814?journal_id=265402023-01-25T17:33:41ZJason Ishjason.ish@oisf.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/5413">Feature #5413</a>: DCERPC logging is not easy to use in analysis</i> added</li></ul> Suricata - Bug #5814: smb: duplicate interface fields loggedhttps://redmine.openinfosecfoundation.org/issues/5814?journal_id=265522023-01-25T20:42:06ZEric Leblonderic@regit.org
<ul></ul><p>Yes, it really makes sense to use an interfaces object. But when looking at the data, it looks like we have twice the same one. Are we missing a other value or it is a duplicate ?</p> Suricata - Bug #5814: smb: duplicate interface fields loggedhttps://redmine.openinfosecfoundation.org/issues/5814?journal_id=265532023-01-25T20:45:12ZEric Leblonderic@regit.org
<ul></ul><p>I think the function call is supposed to be unique so we may miss something here.</p> Suricata - Bug #5814: smb: duplicate interface fields loggedhttps://redmine.openinfosecfoundation.org/issues/5814?journal_id=265712023-01-26T08:42:19ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Review</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Jason Ish</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/8455">https://github.com/OISF/suricata/pull/8455</a></p> Suricata - Bug #5814: smb: duplicate interface fields loggedhttps://redmine.openinfosecfoundation.org/issues/5814?journal_id=265872023-01-26T17:50:33ZJason Ishjason.ish@oisf.net
<ul></ul><p>Eric Leblond wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote>
<p>I think the function call is supposed to be unique so we may miss something here.</p>
</blockquote>
<p>So no more or less data is being logged. The fix is to go from an JSON that looks like:<br /><pre>
{
...,
interface: {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
interface: {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
...,
}
</pre></p>
<p>to:</p>
<pre>
{
...,
interfaces: [
{"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
{"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
],
...,
}
</pre>
<p>So all logged interfaces will remain visible after decoding the JSON.</p> Suricata - Bug #5814: smb: duplicate interface fields loggedhttps://redmine.openinfosecfoundation.org/issues/5814?journal_id=266002023-01-30T08:14:21ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>In Review</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/8483">https://github.com/OISF/suricata/pull/8483</a></p>