Project

General

Profile

Actions
Copy link

Bug #5814

closed

smb: duplicate interface fields logged

Added by Jason Ish about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
7.0.0-rc1
Affected Versions:
git master
Effort:
Difficulty:
Label:

Description

The following tests result in duplicate interface fields being logged:

FAIL: ./tests/smb2-02/output/eve.json: key=interface, equal=True current value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}, new value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}
FAIL: ./tests/smb2-03-rule/output/eve.json: key=interface, equal=True current value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}, new value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}
FAIL: ./tests/smb2-07-frames/output/eve.json: key=interface, equal=True current value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}, new value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}
FAIL: ./tests/smb2-07/output/eve.json: key=interface, equal=True current value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}, new value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}
FAIL: ./tests/dcerpc-smb-test-01/output/eve.json: key=interface, equal=True current value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}, new value={'uuid': '367abb81-9844-35f1-ad32-98f038001003', 'version': '2.0'}
FAIL: ./tests/smb2-08-rule/output/eve.json: key=interface, equal=True current value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}, new value={'uuid': '4b324fc8-1670-01d3-1278-5a47bf6ee188', 'version': '3.0'}

These should probably be put into an array named "interfaces". The curious bit is that the duplicates are equal.

@Eric Leblond Any thoughts there as this will change the structure of the event.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #5413: DCERPC logging is not easy to use in analysisClosedEric LeblondActions
Actions
Copy link
 #1

Updated by Jason Ish about 1 year ago

  • Related to Feature #5413: DCERPC logging is not easy to use in analysis added
Actions
Copy link
 #2

Updated by Eric Leblond about 1 year ago

Yes, it really makes sense to use an interfaces object. But when looking at the data, it looks like we have twice the same one. Are we missing a other value or it is a duplicate ?

Actions
Copy link
 #3

Updated by Eric Leblond about 1 year ago

I think the function call is supposed to be unique so we may miss something here.

Actions
Copy link
 #4

Updated by Victor Julien about 1 year ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Jason Ish
Actions
Copy link
 #5

Updated by Jason Ish about 1 year ago

Eric Leblond wrote in #note-3:

I think the function call is supposed to be unique so we may miss something here.

So no more or less data is being logged. The fix is to go from an JSON that looks like:

{
    ...,
    interface: {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
    interface: {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
    ...,
}

to:

{
    ...,
    interfaces: [
        {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
        {"uuid": "4b324fc8-1670-01d3-1278-5a47bf6ee188", "version": "3.0"},
    ],
    ...,
}

So all logged interfaces will remain visible after decoding the JSON.

Actions
Copy link
 #6

Updated by Victor Julien about 1 year ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF