Bug #7902
openIKE invalid JSON log output
Description
I don't have a packet capture to reproduce this bug, but I have a credible bug report and a plausible explanation. The snippet below is a log output from an IKEv1 detection, but the JSON itself is not valid because it contains objects with duplicately-defined keys. The problematic keys in this example are sa_life_duration and sa_life_duration_raw which appear twice in some of the proposal objects. JSON parsers reading this as an input will either dedupe (quietly losing data), or fail with a parse error.
I can see how it seems possible for Suricata to produce an output like this - the add_attributes [1] iterates over a vector parsed from the IKE message and the JsonBuilder directly builds a JSON-formatted string from that input without validating, so when the transform vector contains duplicately-defined attributes it looks like both will come out in the output object.
Could you investigate to find a solution? I'm not deep enough in the details of IKEv1 to tell whether a repeated key in the proposal should be valid IKE or not, but I think regardless of invalid inputs Suricata should not produce an invalid JSON output. We have multiple reports of this happening so this is something that happens in the wild. The log below was produced using Suricata v7 but I see the same mechanism in the current master branch so I expect the same would happen in v8.
Log:
{
"event":{
"ike":{
"ikev1":{
"doi":1,
"encrypted_payloads":false,
"client":{
"proposals":[
{
"alg_enc":"EncAesCbc",
"alg_enc_raw":7,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":256,
"alg_hash":"HashSha2_384",
"alg_hash_raw":5,
"alg_auth":"AuthPreSharedKey",
"alg_auth_raw":1,
"alg_dh":"GroupRandomEcp384",
"alg_dh_raw":20,
"sa_life_type":"LifeTypeSeconds",
"sa_life_type_raw":1,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":65535
},
{
"alg_enc":"EncAesCbc",
"alg_enc_raw":7,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":256,
"alg_hash":"HashSha2_256",
"alg_hash_raw":4,
"alg_auth":"AuthPreSharedKey",
"alg_auth_raw":1,
"alg_dh":"GroupModp2048Bit",
"alg_dh_raw":14,
"sa_life_type":"LifeTypeSeconds",
"sa_life_type_raw":1,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":65535
},
{
"alg_enc":"EncAesCbc",
"alg_enc_raw":7,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":128,
"alg_hash":"HashSha",
"alg_hash_raw":2,
"alg_auth":"AuthPreSharedKey",
"alg_auth_raw":1,
"alg_dh":"GroupAlternate1024BitModpGroup",
"alg_dh_raw":2,
"sa_life_type":"LifeTypeSeconds",
"sa_life_type_raw":1,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":65535
},
{
"alg_enc":"EncTripleDesCbc",
"alg_enc_raw":5,
"alg_hash":"HashSha",
"alg_hash_raw":2,
"alg_auth":"AuthPreSharedKey",
"alg_auth_raw":1,
"alg_dh":"GroupAlternate1024BitModpGroup",
"alg_dh_raw":2,
"sa_life_type":"LifeTypeSeconds",
"sa_life_type_raw":1,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":65535
},
{
"alg_enc":"EncTripleDesCbc",
"alg_enc_raw":5,
"alg_hash":"HashMd5",
"alg_hash_raw":1,
"alg_auth":"AuthPreSharedKey",
"alg_auth_raw":1,
"alg_dh":"GroupAlternate1024BitModpGroup",
"alg_dh_raw":2,
"sa_life_type":"LifeTypeSeconds",
"sa_life_type_raw":1,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":65535
},
{
"alg_enc":"EncDesCbc",
"alg_enc_raw":1,
"alg_hash":"HashSha",
"alg_hash_raw":2,
"alg_auth":"AuthPreSharedKey",
"alg_auth_raw":1,
"alg_dh":"GroupDefault768BitModp",
"alg_dh_raw":1,
"sa_life_type":"LifeTypeSeconds",
"sa_life_type_raw":1,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":65535
},
{
"alg_enc":"EncDesCbc",
"alg_enc_raw":1,
"alg_hash":"HashMd5",
"alg_hash_raw":1,
"alg_auth":"AuthPreSharedKey",
"alg_auth_raw":1,
"alg_dh":"GroupDefault768BitModp",
"alg_dh_raw":1,
"sa_life_type":"LifeTypeSeconds",
"sa_life_type_raw":1,
"sa_life_duration":"Unknown",
"sa_life_duration_raw":65535
}
]
}
}
}
}
}
No data to display