Project

General

Profile

Actions

Bug #6405

closed

eve: ethernet src_mac should match src_ip

Added by Eric Leblond about 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

The ethernet IP addresses should match the IP addresses so the user can attribute the IP to the mac address. By that, I mean the src_ip address should correspond to the ether.src_mac and reverse for destination.

I've studied the problem with the pcap from MTA: https://www.malware-traffic-analysis.net/2019/07/05/index.html to try to collect information about the current status.

suricata -l /tmp/ip-ether/ -r ~/Downloads/2019-07-05-Ursnif-with-Trickbot-and-IcedID.pcap  -c suricata.yaml

As we can see via the following jq commmand we have multiple association

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5"}

In particular for 10.7.5.101:

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac and .src_ip=="10.7.5.101")|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101"} # real mac address of host
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101"} # mac address of gw
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101"} # mac address of 10.7.5.5

If we add the application layer in the equation, we then can see that it is dependant of it:

cat /tmp/ip-ether/eve.json | jq 'select(.ether.dest_mac)|{"ether_src_mac": .ether.src_mac, "src_ip": .src_ip, "event_type": .event_type}' -c|sort | uniq
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"alert"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"fileinfo"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"http"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"krb5"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"00:08:02:1c:47:ae","src_ip":"10.7.5.101","event_type":"tls"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"104.24.105.145","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.240","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"144.217.50.243","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"170.238.117.187","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"181.129.140.140","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.117.73.76","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.175.156.13","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.193.141.176","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.248.87.88","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"185.251.38.235","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"198.12.71.157","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"23.63.254.169","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"46.17.46.97","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"5.188.168.49","event_type":"fileinfo"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"66.70.218.60","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"alert"}
{"ether_src_mac":"20:e5:2a:b6:93:f1","src_ip":"94.140.125.34","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"dns"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.101","event_type":"smb"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"alert"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"anomaly"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"dhcp"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"fileinfo"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"http"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"krb5"}
{"ether_src_mac":"a4:1f:72:c2:09:6a","src_ip":"10.7.5.5","event_type":"tls"}


Subtasks 2 (0 open2 closed)

Bug #6689: Ethernet src should match src ip (6.0.x backport)RejectedActions
Bug #6690: eve: ethernet src_mac should match src_ip (7.0.x backport)ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF