Project

General

Profile

Actions

Bug #6405

closed

eve: ethernet src_mac should match src_ip

Added by Eric Leblond about 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

The ethernet IP addresses should match the IP addresses so the user can attribute the IP to the mac address. By that, I mean the src_ip address should correspond to the ether.src_mac and reverse for destination.

I've studied the problem with the pcap from MTA: https://www.malware-traffic-analysis.net/2019/07/05/index.html to try to collect information about the current status.

suricata -l /tmp/ip-ether/ -r ~/Downloads/2019-07-05-Ursnif-with-Trickbot-and-IcedID.pcap  -c suricata.yaml

As we can see via the following jq commmand we have multiple association

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}

In particular for 10.7.5.101:

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac and .src_ip=="10.7.5.101")|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"} # real mac address of host
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"} # mac address of gw
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"} # mac address of 10.7.5.5

If we add the application layer in the equation, we then can see that it is dependant of it:

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip, "event_type": .event_type}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"alert"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"fileinfo"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"http"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"krb5"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"tls"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"alert"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"anomaly"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"dhcp"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"http"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"krb5"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"tls"}


Subtasks 2 (0 open2 closed)

Bug #6689: Ethernet src should match src ip (6.0.x backport)RejectedActions
Bug #6690: eve: ethernet src_mac should match src_ip (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by Eric Leblond about 1 year ago

note: suricata is 7.0.1 from Debian GNU/Linux

Actions #2

Updated by Sascha Steinbiss about 1 year ago

I'm not really sure what you mean by "ethernet IP addresses". AFAICS many packets from various IP addresses can have the same hardware source MAC address -- if the sending interface is a router, for example. I don't think there is a way to actually be sure that a MAC address belongs to the interface that the source IP is configured on, unless we have more places to tap.

In the case of flows, we can even have multiple MAC addresses for the src/dest same IP. That's why src_mac and dest_mac can be arrays there and are called src_macs and dest_macs, respectively.

Actions #3

Updated by Eric Leblond about 1 year ago

Sascha Steinbiss wrote in #note-2:

I'm not really sure what you mean by "ethernet IP addresses". AFAICS many packets from various IP addresses can have the same hardware source MAC address -- if the sending interface is a router, for example. I don't think there is a way to actually be sure that a MAC address belongs to the interface that the source IP is configured on, unless we have more places to tap.

In the case of flows, we can even have multiple MAC addresses for the src/dest same IP. That's why src_mac and dest_mac can be arrays there and are called src_macs and dest_macs, respectively.

The problem is that the IP addresses and the ethernet one are not in the same direction depending of the type of events and we get the same ethernet address for 2 IP.

{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}

It may be more obvious on a DNS request and answer:

{
  "timestamp": "2019-07-05T22:10:33.164698+0200",
  "flow_id": 425898990509396,
  "pcap_cnt": 48630,
  "event_type": "dns",
  "src_ip": "10.7.5.101",
  "src_port": 50643,
  "dest_ip": "10.7.5.5",
  "dest_port": 53,
  "proto": "UDP",
  "pkt_src": "wire/pcap",
  "ether": {
    "src_mac": "00:08:02:1c:47:ae",
    "dest_mac": "a4:1f:72:c2:09:6a" 
  },
  "community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=",
  "dns": {
    "type": "query",
    "id": 62832,
    "rrname": "germakhya.xyz",
    "rrtype": "A",
    "tx_id": 0,
    "opcode": 0
  }
}
{
  "timestamp": "2019-07-05T22:10:33.369515+0200",
  "flow_id": 425898990509396,
  "pcap_cnt": 48631,
  "event_type": "dns",
  "src_ip": "10.7.5.101",
  "src_port": 50643,
  "dest_ip": "10.7.5.5",
  "dest_port": 53,
  "proto": "UDP",
  "pkt_src": "wire/pcap",
  "ether": {
    "src_mac": "a4:1f:72:c2:09:6a",
    "dest_mac": "00:08:02:1c:47:ae" 
  },
  "community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=",
  "dns": {
    "version": 2,
    "type": "answer",
    "id": 62832,
    "flags": "8180",
    "qr": true,
    "rd": true,
    "ra": true,
    "opcode": 0,
    "rrname": "germakhya.xyz",
    "rrtype": "A",
    "rcode": "NOERROR",
    "answers": [
      {
        "rrname": "germakhya.xyz",
        "rrtype": "A",
        "ttl": 599,
        "rdata": "95.142.46.236" 
      }
    ],
    "grouped": {
      "A": [
        "95.142.46.236" 
      ]
    }
  }
}

If we extract IP and ethernet nformation for this DNS "transaction":

cat /tmp/ip-ether/eve.json | jq 'select(.event_type=="dns" and .dns.id==62832)|{"src_ip":.src_ip, "ether_src": .ether.src_mac, "dest_ip": .dest_ip, "ether_dst": .ether.dest_mac}' -c
{"src_ip":"10.7.5.101","ether_src":"00:08:02:1c:47:ae","dest_ip":"10.7.5.5","ether_dst":"a4:1f:72:c2:09:6a"}
{"src_ip":"10.7.5.101","ether_src":"a4:1f:72:c2:09:6a","dest_ip":"10.7.5.5","ether_dst":"00:08:02:1c:47:ae"}

We have source and destination IP but the ethernet addresses are reverted.

Actions #4

Updated by Eric Leblond about 1 year ago

I pushed an implementation that seems to fix the issue there: https://github.com/OISF/suricata/commit/d5fe84abd7d03293a8fc74d2778b17cd4b628bbf

For example

cat ~/tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq

{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}

We have no duplicated IPs in this list.

Actions #5

Updated by Sascha Steinbiss about 1 year ago

This makes it more explicit indeed. Thanks for the explanation!

Actions #6

Updated by Philippe Antoine 10 months ago

  • Status changed from New to In Review
Actions #7

Updated by Philippe Antoine 10 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #8

Updated by OISF Ticketbot 10 months ago

  • Subtask #6689 added
Actions #9

Updated by OISF Ticketbot 10 months ago

  • Label deleted (Needs backport to 6.0)
Actions #10

Updated by OISF Ticketbot 10 months ago

  • Subtask #6690 added
Actions #11

Updated by OISF Ticketbot 10 months ago

  • Label deleted (Needs backport to 7.0)
Actions #12

Updated by Jeff Lucovsky 7 months ago

  • Assignee changed from OISF Dev to Philippe Antoine
Actions #13

Updated by Jeff Lucovsky 7 months ago

  • Assignee changed from Philippe Antoine to OISF Dev
Actions #14

Updated by Philippe Antoine 6 months ago

  • Status changed from In Review to Resolved
Actions #15

Updated by Victor Julien 6 months ago

  • Status changed from Resolved to Closed
  • Assignee changed from OISF Dev to Eric Leblond
Actions #16

Updated by Victor Julien 5 months ago

  • Subject changed from Ethernet src should match src ip to eve: ethernet src_mac should match src_ip
Actions

Also available in: Atom PDF