Project

General

Profile

Actions

Bug #6405

open

Ethernet src should match src ip

Added by Eric Leblond 6 months ago. Updated 2 months ago.

Status:
In Review
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

The ethernet IP addresses should match the IP addresses so the user can attribute the IP to the mac address. By that, I mean the src_ip address should correspond to the ether.src_mac and reverse for destination.

I've studied the problem with the pcap from MTA: https://www.malware-traffic-analysis.net/2019/07/05/index.html to try to collect information about the current status.

suricata -l /tmp/ip-ether/ -r ~/Downloads/2019-07-05-Ursnif-with-Trickbot-and-IcedID.pcap  -c suricata.yaml

As we can see via the following jq commmand we have multiple association

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}

In particular for 10.7.5.101:

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac and .src_ip=="10.7.5.101")|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"} # real mac address of host
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"} # mac address of gw
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"} # mac address of 10.7.5.5

If we add the application layer in the equation, we then can see that it is dependant of it:

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip, "event_type": .event_type}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"alert"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"fileinfo"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"http"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"krb5"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"tls"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"alert"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"anomaly"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"dhcp"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"http"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"krb5"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"tls"}


Subtasks 2 (2 open0 closed)

Bug #6689: Ethernet src should match src ip (6.0.x backport)AssignedOISF DevActions
Bug #6690: Ethernet src should match src ip (7.0.x backport)AssignedAndreas HerzActions
Actions #1

Updated by Eric Leblond 6 months ago

note: suricata is 7.0.1 from Debian GNU/Linux

Actions #2

Updated by Sascha Steinbiss 6 months ago

I'm not really sure what you mean by "ethernet IP addresses". AFAICS many packets from various IP addresses can have the same hardware source MAC address -- if the sending interface is a router, for example. I don't think there is a way to actually be sure that a MAC address belongs to the interface that the source IP is configured on, unless we have more places to tap.

In the case of flows, we can even have multiple MAC addresses for the src/dest same IP. That's why src_mac and dest_mac can be arrays there and are called src_macs and dest_macs, respectively.

Actions #3

Updated by Eric Leblond 6 months ago

Sascha Steinbiss wrote in #note-2:

I'm not really sure what you mean by "ethernet IP addresses". AFAICS many packets from various IP addresses can have the same hardware source MAC address -- if the sending interface is a router, for example. I don't think there is a way to actually be sure that a MAC address belongs to the interface that the source IP is configured on, unless we have more places to tap.

In the case of flows, we can even have multiple MAC addresses for the src/dest same IP. That's why src_mac and dest_mac can be arrays there and are called src_macs and dest_macs, respectively.

The problem is that the IP addresses and the ethernet one are not in the same direction depending of the type of events and we get the same ethernet address for 2 IP.

{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}

It may be more obvious on a DNS request and answer:

{
  "timestamp": "2019-07-05T22:10:33.164698+0200",
  "flow_id": 425898990509396,
  "pcap_cnt": 48630,
  "event_type": "dns",
  "src_ip": "10.7.5.101",
  "src_port": 50643,
  "dest_ip": "10.7.5.5",
  "dest_port": 53,
  "proto": "UDP",
  "pkt_src": "wire/pcap",
  "ether": {
    "src_mac": "00:08:02:1c:47:ae",
    "dest_mac": "a4:1f:72:c2:09:6a" 
  },
  "community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=",
  "dns": {
    "type": "query",
    "id": 62832,
    "rrname": "germakhya.xyz",
    "rrtype": "A",
    "tx_id": 0,
    "opcode": 0
  }
}
{
  "timestamp": "2019-07-05T22:10:33.369515+0200",
  "flow_id": 425898990509396,
  "pcap_cnt": 48631,
  "event_type": "dns",
  "src_ip": "10.7.5.101",
  "src_port": 50643,
  "dest_ip": "10.7.5.5",
  "dest_port": 53,
  "proto": "UDP",
  "pkt_src": "wire/pcap",
  "ether": {
    "src_mac": "a4:1f:72:c2:09:6a",
    "dest_mac": "00:08:02:1c:47:ae" 
  },
  "community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=",
  "dns": {
    "version": 2,
    "type": "answer",
    "id": 62832,
    "flags": "8180",
    "qr": true,
    "rd": true,
    "ra": true,
    "opcode": 0,
    "rrname": "germakhya.xyz",
    "rrtype": "A",
    "rcode": "NOERROR",
    "answers": [
      {
        "rrname": "germakhya.xyz",
        "rrtype": "A",
        "ttl": 599,
        "rdata": "95.142.46.236" 
      }
    ],
    "grouped": {
      "A": [
        "95.142.46.236" 
      ]
    }
  }
}

If we extract IP and ethernet nformation for this DNS "transaction":

cat /tmp/ip-ether/eve.json | jq 'select(.event_type=="dns" and .dns.id==62832)|{"src_ip":.src_ip, "ether_src": .ether.src_mac, "dest_ip": .dest_ip, "ether_dst": .ether.dest_mac}' -c
{"src_ip":"10.7.5.101","ether_src":"00:08:02:1c:47:ae","dest_ip":"10.7.5.5","ether_dst":"a4:1f:72:c2:09:6a"}
{"src_ip":"10.7.5.101","ether_src":"a4:1f:72:c2:09:6a","dest_ip":"10.7.5.5","ether_dst":"00:08:02:1c:47:ae"}

We have source and destination IP but the ethernet addresses are reverted.

Actions #4

Updated by Eric Leblond 6 months ago

I pushed an implementation that seems to fix the issue there: https://github.com/OISF/suricata/commit/d5fe84abd7d03293a8fc74d2778b17cd4b628bbf

For example

cat ~/tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq

{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}

We have no duplicated IPs in this list.

Actions #5

Updated by Sascha Steinbiss 6 months ago

This makes it more explicit indeed. Thanks for the explanation!

Actions #6

Updated by Philippe Antoine 3 months ago

  • Status changed from New to In Review
Actions #7

Updated by Philippe Antoine 3 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #8

Updated by OISF Ticketbot 3 months ago

  • Subtask #6689 added
Actions #9

Updated by OISF Ticketbot 3 months ago

  • Label deleted (Needs backport to 6.0)
Actions #10

Updated by OISF Ticketbot 3 months ago

  • Subtask #6690 added
Actions #11

Updated by OISF Ticketbot 3 months ago

  • Label deleted (Needs backport to 7.0)
Actions

Also available in: Atom PDF