Bug #6405
closedeve: ethernet src_mac should match src_ip
Description
The ethernet IP addresses should match the IP addresses so the user can attribute the IP to the mac address. By that, I mean the src_ip address should correspond to the ether.src_mac and reverse for destination.
I've studied the problem with the pcap from MTA: https://www.malware-traffic-analysis.net/2019/07/05/index.html to try to collect information about the current status.
suricata -l /tmp/ip-ether/ -r ~/Downloads/2019-07-05-Ursnif-with-Trickbot-and-IcedID.pcap -c suricata.yaml
As we can see via the following jq commmand we have multiple association
cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}
In particular for 10.7.5.101:
cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac and .src_ip=="10.7.5.101")|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"} # real mac address of host {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"} # mac address of gw {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"} # mac address of 10.7.5.5
If we add the application layer in the equation, we then can see that it is dependant of it:
cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip, "event_type": .event_type}' -c|sort | uniq {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"alert"} {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"dns"} {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"fileinfo"} {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"http"} {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"krb5"} {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"smb"} {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"tls"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145","event_type":"fileinfo"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101","event_type":"dns"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"fileinfo"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176","event_type":"fileinfo"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"fileinfo"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169","event_type":"fileinfo"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"fileinfo"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"fileinfo"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"alert"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"fileinfo"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"dns"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"smb"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"alert"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"anomaly"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"dhcp"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"fileinfo"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"http"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"krb5"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"tls"}
Updated by Eric Leblond about 1 year ago
note: suricata is 7.0.1 from Debian GNU/Linux
Updated by Sascha Steinbiss about 1 year ago
I'm not really sure what you mean by "ethernet IP addresses". AFAICS many packets from various IP addresses can have the same hardware source MAC address -- if the sending interface is a router, for example. I don't think there is a way to actually be sure that a MAC address belongs to the interface that the source IP is configured on, unless we have more places to tap.
In the case of flows, we can even have multiple MAC addresses for the src/dest same IP. That's why src_mac
and dest_mac
can be arrays there and are called src_macs
and dest_macs
, respectively.
Updated by Eric Leblond about 1 year ago
Sascha Steinbiss wrote in #note-2:
I'm not really sure what you mean by "ethernet IP addresses". AFAICS many packets from various IP addresses can have the same hardware source MAC address -- if the sending interface is a router, for example. I don't think there is a way to actually be sure that a MAC address belongs to the interface that the source IP is configured on, unless we have more places to tap.
In the case of flows, we can even have multiple MAC addresses for the src/dest same IP. That's why
src_mac
anddest_mac
can be arrays there and are calledsrc_macs
anddest_macs
, respectively.
The problem is that the IP addresses and the ethernet one are not in the same direction depending of the type of events and we get the same ethernet address for 2 IP.
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}
It may be more obvious on a DNS request and answer:
{ "timestamp": "2019-07-05T22:10:33.164698+0200", "flow_id": 425898990509396, "pcap_cnt": 48630, "event_type": "dns", "src_ip": "10.7.5.101", "src_port": 50643, "dest_ip": "10.7.5.5", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "ether": { "src_mac": "00:08:02:1c:47:ae", "dest_mac": "a4:1f:72:c2:09:6a" }, "community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=", "dns": { "type": "query", "id": 62832, "rrname": "germakhya.xyz", "rrtype": "A", "tx_id": 0, "opcode": 0 } } { "timestamp": "2019-07-05T22:10:33.369515+0200", "flow_id": 425898990509396, "pcap_cnt": 48631, "event_type": "dns", "src_ip": "10.7.5.101", "src_port": 50643, "dest_ip": "10.7.5.5", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "ether": { "src_mac": "a4:1f:72:c2:09:6a", "dest_mac": "00:08:02:1c:47:ae" }, "community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=", "dns": { "version": 2, "type": "answer", "id": 62832, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "germakhya.xyz", "rrtype": "A", "rcode": "NOERROR", "answers": [ { "rrname": "germakhya.xyz", "rrtype": "A", "ttl": 599, "rdata": "95.142.46.236" } ], "grouped": { "A": [ "95.142.46.236" ] } } }
If we extract IP and ethernet nformation for this DNS "transaction":
cat /tmp/ip-ether/eve.json | jq 'select(.event_type=="dns" and .dns.id==62832)|{"src_ip":.src_ip, "ether_src": .ether.src_mac, "dest_ip": .dest_ip, "ether_dst": .ether.dest_mac}' -c {"src_ip":"10.7.5.101","ether_src":"00:08:02:1c:47:ae","dest_ip":"10.7.5.5","ether_dst":"a4:1f:72:c2:09:6a"} {"src_ip":"10.7.5.101","ether_src":"a4:1f:72:c2:09:6a","dest_ip":"10.7.5.5","ether_dst":"00:08:02:1c:47:ae"}
We have source and destination IP but the ethernet addresses are reverted.
Updated by Eric Leblond about 1 year ago
I pushed an implementation that seems to fix the issue there: https://github.com/OISF/suricata/commit/d5fe84abd7d03293a8fc74d2778b17cd4b628bbf
For example
cat ~/tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq {"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"} {"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"} {"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}
We have no duplicated IPs in this list.
Updated by Sascha Steinbiss about 1 year ago
This makes it more explicit indeed. Thanks for the explanation!
Updated by Philippe Antoine 10 months ago
- Status changed from New to In Review
Updated by Philippe Antoine 10 months ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Jeff Lucovsky 7 months ago
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Jeff Lucovsky 7 months ago
- Assignee changed from Philippe Antoine to OISF Dev
Updated by Philippe Antoine 6 months ago
- Status changed from In Review to Resolved
Updated by Victor Julien 6 months ago
- Status changed from Resolved to Closed
- Assignee changed from OISF Dev to Eric Leblond
Updated by Victor Julien 5 months ago
- Subject changed from Ethernet src should match src ip to eve: ethernet src_mac should match src_ip