Project

General

Profile

Actions
Copy link

Bug #5814

closed
JI JI

smb: duplicate interface fields logged

Bug #5814: smb: duplicate interface fields logged

Added by Jason Ish over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
7.0.0-rc1
Affected Versions:
git main
Effort:
Difficulty:
Label:

Description

The following tests result in duplicate interface fields being logged:

FAIL: ./tests/smb2-02/output/eve.json: key=interface, equal=True current value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}, new value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}
FAIL: ./tests/smb2-03-rule/output/eve.json: key=interface, equal=True current value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}, new value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}
FAIL: ./tests/smb2-07-frames/output/eve.json: key=interface, equal=True current value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}, new value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}
FAIL: ./tests/smb2-07/output/eve.json: key=interface, equal=True current value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}, new value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}
FAIL: ./tests/dcerpc-smb-test-01/output/eve.json: key=interface, equal=True current value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}, new value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}
FAIL: ./tests/smb2-08-rule/output/eve.json: key=interface, equal=True current value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}, new value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}

These should probably be put into an array named "interfaces". The curious bit is that the duplicates are equal.

@eleblond Any thoughts there as this will change the structure of the event.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #5413: DCERPC logging is not easy to use in analysisClosedEric LeblondActions

JI Updated by Jason Ish over 3 years ago Actions
Copy link
 #1

  • Related to Feature #5413: DCERPC logging is not easy to use in analysis added

EL Updated by Eric Leblond over 3 years ago Actions
Copy link
 #2

Yes, it really makes sense to use an interfaces object. But when looking at the data, it looks like we have twice the same one. Are we missing a other value or it is a duplicate ?

EL Updated by Eric Leblond over 3 years ago Actions
Copy link
 #3

I think the function call is supposed to be unique so we may miss something here.

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #4

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Jason Ish

JI Updated by Jason Ish over 3 years ago Actions
Copy link
 #5

Eric Leblond wrote in #note-3:

I think the function call is supposed to be unique so we may miss something here.

So no more or less data is being logged. The fix is to go from an JSON that looks like:

{
    ...,
    interface: {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
    interface: {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
    ...,
}

to:

{
    ...,
    interfaces: [
        {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
        {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
    ],
    ...,
}

So all logged interfaces will remain visible after decoding the JSON.

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
 #6

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom