Project

General

Profile

Actions

Bug #7199

open

Suricata 7 no longer logging app-layer metadata in alerts

Added by Antonin Bas 4 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

After upgrading from Suricata 6 to 7, alerts in the eve JSON output no longer seem to include app-layer metadata.
This is what we use to have:

{
  "timestamp": "2023-03-09T20:00:28.210821+0000",
  "flow_id": 627175734391745,
  "in_iface": "antrea-l7-tap0",
  "event_type": "alert",
  "vlan": [
    1
  ],
  "src_ip": "10.10.1.5",
  "src_port": 43352,
  "dest_ip": "10.10.1.4",
  "dest_port": 80,
  "proto": "TCP",
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 1,
    "rev": 0,
    "signature": "Reject by AntreaClusterNetworkPolicy:test-l7-ingress",
    "category": "",
    "severity": 3,
    "tenant_id": 1
  },
  "http": {
    "hostname": "10.10.1.4",
    "url": "/admin",
    "http_user_agent": "curl/7.74.0",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "length": 0
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 3,
    "pkts_toclient": 1,
    "bytes_toserver": 284,
    "bytes_toclient": 74,
    "start": "2023-03-09T20:00:28.209857+0000" 
  }
}

This is what we have now with Suricata 7.0.6:
{
  "timestamp": "2024-08-26T22:19:16.005590+0000",
  "flow_id": 1147586615954996,
  "in_iface": "antrea-l7-tap0",
  "event_type": "alert",
  "vlan": [
    1
  ],
  "src_ip": "10.10.1.9",
  "src_port": 54728,
  "dest_ip": "10.10.1.10",
  "dest_port": 80,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tenant_id": 1,
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 1,
    "rev": 0,
    "signature": "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2",
    "category": "",
    "severity": 3,
    "tenant_id": 1
  },
  "app_proto": "http",
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 3,
    "pkts_toclient": 1,
    "bytes_toserver": 302,
    "bytes_toclient": 78,
    "start": "2024-08-26T22:19:16.005049+0000",
    "src_ip": "10.10.1.9",
    "dest_ip": "10.10.1.10",
    "src_port": 54728,
    "dest_port": 80
  }
}

The first output was captured with Suricata 6 a while back, but the rules were essentially the same. These are the rules I am using now:
reject ip any any -> any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;)
pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;)

And this is the relevant part of the config:

%YAML 1.1
---
outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve-%Y-%m-%d.json
      rotate-interval: day
      pcap-file: false
      community-id: false
      community-id-seed: 0
      xff:
        enabled: no
      types:
        - alert:
            tagged-packets: yes
        - http:
            extended: yes
            tagged-packets: yes
        - tls:
            extended: yes

It seems to me that this change, which was not backported to 6, is responsible: https://github.com/OISF/suricata/pull/10876/files, as it added an extra condition for logging app-layer data.

I am assuming that even though the action is "blocked", the expectation is that http data can still be logged here (with the default `metadata` configuration for alerts).


Related issues 1 (1 open0 closed)

Related to Suricata - Task #7350: firewall usecase: log app-layer metadata for for catch-all drop rulesNewOISF DevActions
Actions

Also available in: Atom PDF