Project

General

Profile

Actions

Bug #6567

open

anomaly and file info logs discrepancy results between versions

Added by Peter Manev about 1 year ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Reading the same pcap (attached, thanks to AnyRun) with Suricata 7.0.2 and latest gitmaster gives different results.
Mainly 1 extra fileinfo log with latest master vs Suricata 7.0.2
and 1 extra anomaly log with 7.0.2 vs latest master:

sudo /opt/suritest-profiling/bin/suricata  -S "rules/*.rules"  -l logs/ -k none -r ce7ca983-9e4b-4251-a7c3-fefa3da02ebe.pcap ;  echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; 

Notice: suricata: This is Suricata version 8.0.0-dev (d2b25af3f 2023-11-17) running in USER mode [LogVersion:suricata.c:1148]
Warning: app-layer-htp: Flash decompression is deprecated and will be removed in Suricata 8; see ticket #6179 [HTPConfigParseParameters:app-layer-htp.c:2908]
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1893]
Notice: suricata: Signal Received.  Stopping engine. [SuricataMainLoop:suricata.c:2807]
Notice: pcap: read 1 file, 5593 packets, 3650074 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:388]
Suricata event types:
     18 flow
      8 fileinfo
      7 alert
      4 http
      2 dns
      1 tls
      1 stats
Alerts:
      1 "ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI)" 
      1 "ETPRO POLICY External IP Address Lookup DNS Query (api .ip .sb)" 
      1 "ETPRO MALWARE RedLine - SetEnvironment Request" 
      1 "ETPRO MALWARE RedLine - EnvironmentSettings Request" 
      1 "ETPRO MALWARE RedLine - CheckConnect Request" 
      1 "ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound" 
      1 "ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response" 

sudo /opt/suritest702/bin/suricata  -S "rules/*.rules"  -l logs/ -k none -r ce7ca983-9e4b-4251-a7c3-fefa3da02ebe.pcap ;  echo "Suricata event types:" ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; echo "Alerts:" ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; 

i: suricata: This is Suricata version 7.0.2 RELEASE running in USER mode
i: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: pcap: read 1 file, 5593 packets, 3650074 bytes
Suricata event types:
     18 flow
      7 fileinfo
      7 alert
      4 http
      2 dns
      1 tls
      1 stats
      1 anomaly
Alerts:
      1 "ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI)" 
      1 "ETPRO POLICY External IP Address Lookup DNS Query (api .ip .sb)" 
      1 "ETPRO MALWARE RedLine - SetEnvironment Request" 
      1 "ETPRO MALWARE RedLine - EnvironmentSettings Request" 
      1 "ETPRO MALWARE RedLine - CheckConnect Request" 
      1 "ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound" 
      1 "ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response" 

grep '"event_type":"anomaly"' logs/eve.json | jq . 
{
  "timestamp": "2023-09-18T08:13:58.882971+0200",
  "flow_id": 1676748533473995,
  "pcap_cnt": 2878,
  "event_type": "anomaly",
  "src_ip": "192.168.100.237",
  "src_port": 49175,
  "dest_ip": "142.11.240.191",
  "dest_port": 35361,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "metadata": {
    "flowbits": [
      "http.dottedquadhost" 
    ]
  },
  "tx_id": 3,
  "anomaly": {
    "app_proto": "http",
    "type": "applayer",
    "event": "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST",
    "layer": "proto_parser" 
  }
}

Files

Actions

Also available in: Atom PDF