Project

General

Profile

Bug #5255

Updated by Victor Julien 4 months ago

Bug has more discussion here: https://forum.suricata.io/t/pcap-filename-in-eve-json-is-not-accurate-when-using-pcap-file-continuous/558/ 

 Reported pcap_filename in alerts are not correct. 
 pcap_filename is from a different event. 
 It is not possible to use suricata without --pcap-file-recursive because it takes too many time to scan each file separately. Suricata bootstrap goes too long (2 minutes per each file). There are hundreds of files each 10 minutes. 
 I have attached config file as you asked. 
 Please help me to resolve this issues. 

 <pre> 
 


 Suricata version 7.0.0-dev (3a490fb16 2022-03-04) 
 Linux version 5.11.0-49-generic (buildd@lcy02-amd64-054) (gcc (Ubuntu 10.3.0-1ubuntu1) 10.3.0, GNU ld (GNU Binutils for Ubuntu) 2.36.1) #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 

 /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /opt/nids/test/ --pcap-file-recursive -l /var/log/suricata/ 2>/dev/null 
 </pre> 
 <pre><code class="javascript"> 
 

 { 
 “timestamp”: “2022-03-22T08:59:08.174415+0000”, 
 “flow_id”: 1155331436357967, 
 “pcap_cnt”: 54854, 
 “event_type”: “alert”, 
 “src_ip”: “10.0.0.104”, 
 “src_port”: 57621, 
 “dest_ip”: “10.0.0.255”, 
 “dest_port”: 57621, 
 “proto”: “UDP”, 
 “ether”: { 
 “src_mac”: “XX:XX:XX:4d:b2:4d”, 
 “dest_mac”: “ff:ff:ff:ff:ff:ff” 
 }, 
 “community_id”: “1:4nybWSscJYddpIgTcsmSA0dz7v4=”, 
 “alert”: { 
 “action”: “allowed”, 
 “gid”: 1, 
 “signature_id”: 2027397, 
 “rev”: 1, 
 “signature”: “ET POLICY Spotify P2P Client”, 
 “category”: “Not Suspicious Traffic”, 
 “severity”: 3, 
 “metadata”: { 
 “affected_product”: [ 
 “Windows_Client_Apps” 
 ], 
 “attack_target”: [ 
 “Client_Endpoint” 
 ], 
 “created_at”: [ 
 “2019_05_30” 
 ], 
 “deployment”: [ 
 “Internal” 
 ], 
 “performance_impact”: [ 
 “Low” 
 ], 
 “signature_severity”: [ 
 “Minor” 
 ], 
 “updated_at”: [ 
 “2019_05_30” 
 ] 
 } 
 }, 
 “app_proto”: “failed”, 
 “flow”: { 
 “pkts_toserver”: 1, 
 “pkts_toclient”: 0, 
 “bytes_toserver”: 86, 
 “bytes_toclient”: 0, 
 “start”: “2022-03-22T08:59:08.174415+0000” 
 }, 
 “payload”: “hidden”, 
 “payload_printable”: “hidden”, 
 “stream”: 0, 
 “packet”: “hidden”, 
 “packet_info”: { 
 “linktype”: 1 
 }, 
 “pcap_filename”: “/test//20220322090615350400-XX:XX:XX:XX:83:12-0e8816425288d9684f038bc55c3c03XX.pcap” 
 } 
 { 
 “timestamp”: “2022-03-22T09:04:08.198805+0000”, 
 “flow_id”: 1155331436357967, 
 “pcap_cnt”: 118976, 
 “event_type”: “alert”, 
 “src_ip”: “10.0.0.104”, 
 “src_port”: 57621, 
 “dest_ip”: “10.0.0.255”, 
 “dest_port”: 57621, 
 “proto”: “UDP”, 
 “ether”: { 
 “src_mac”: “XX:XX:XX:4d:b2:4d”, 
 “dest_mac”: “ff:ff:ff:ff:ff:ff” 
 }, 
 “community_id”: “1:4nybWSscJYddpIgTcsmSA0dz7v4=”, 
 “alert”: { 
 “action”: “allowed”, 
 “gid”: 1, 
 “signature_id”: 2027397, 
 “rev”: 1, 
 “signature”: “ET POLICY Spotify P2P Client”, 
 “category”: “Not Suspicious Traffic”, 
 “severity”: 3, 
 “metadata”: { 
 “affected_product”: [ 
 “Windows_Client_Apps” 
 ], 
 “attack_target”: [ 
 “Client_Endpoint” 
 ], 
 “created_at”: [ 
 “2019_05_30” 
 ], 
 “deployment”: [ 
 “Internal” 
 ], 
 “performance_impact”: [ 
 “Low” 
 ], 
 “signature_severity”: [ 
 “Minor” 
 ], 
 “updated_at”: [ 
 “2019_05_30” 
 ] 
 } 
 }, 
 “app_proto”: “failed”, 
 “flow”: { 
 “pkts_toserver”: 11, 
 “pkts_toclient”: 0, 
 “bytes_toserver”: 946, 
 “bytes_toclient”: 0, 
 “start”: “2022-03-22T08:59:08.174415+0000” 
 }, 
 “payload”: “hidden”, 
 “payload_printable”: “hidden”, 
 “stream”: 0, 
 “packet”: “hidden”, 
 “packet_info”: { 
 “linktype”: 1 
 }, 
 “pcap_filename”: “/test//20220322090914541400-XX:XX:XX:XX:2b:92-40b8c45e48e3fee6df38d2482ac16dXX.pcap” 
 } 
 { 
 “timestamp”: “2022-03-22T09:09:08.224668+0000”, 
 “flow_id”: 1155331457946243, 
 “pcap_cnt”: 120400, 
 “event_type”: “alert”, 
 “src_ip”: “10.0.0.104”, 
 “src_port”: 57621, 
 “dest_ip”: “10.0.0.255”, 
 “dest_port”: 57621, 
 “proto”: “UDP”, 
 “ether”: { 
 “src_mac”: “XX:XX:XX:4d:b2:4d”, 
 “dest_mac”: “ff:ff:ff:ff:ff:ff” 
 }, 
 “community_id”: “1:4nybWSscJYddpIgTcsmSA0dz7v4=”, 
 “alert”: { 
 “action”: “allowed”, 
 “gid”: 1, 
 “signature_id”: 2027397, 
 “rev”: 1, 
 “signature”: “ET POLICY Spotify P2P Client”, 
 “category”: “Not Suspicious Traffic”, 
 “severity”: 3, 
 “metadata”: { 
 “affected_product”: [ 
 “Windows_Client_Apps” 
 ], 
 “attack_target”: [ 
 “Client_Endpoint” 
 ], 
 “created_at”: [ 
 “2019_05_30” 
 ], 
 “deployment”: [ 
 “Internal” 
 ], 
 “performance_impact”: [ 
 “Low” 
 ], 
 “signature_severity”: [ 
 “Minor” 
 ], 
 “updated_at”: [ 
 “2019_05_30” 
 ] 
 } 
 }, 
 “app_proto”: “failed”, 
 “flow”: { 
 “pkts_toserver”: 10, 
 “pkts_toclient”: 0, 
 “bytes_toserver”: 860, 
 “bytes_toclient”: 0, 
 “start”: “2022-03-22T09:04:38.201347+0000” 
 }, 
 “payload”: “hidden”, 
 “payload_printable”: “hidden”, 
 “stream”: 0, 
 “packet”: “hidden”, 
 “packet_info”: { 
 “linktype”: 1 
 }, 
 “pcap_filename”: “/test//20220322090950822200-XX:XX:XX:XX:c1:c2-c550d07ceda9c9adfe0473975ab638XX.pcap” 
 } 
 </code></pre> 

Back