[Oisf-users] Malformed EVE output alerts
Brandon Lattin
latt0050 at umn.edu
Wed Apr 8 18:47:11 UTC 2015
Finally got around to it.
Bug 1444
On Wed, Apr 8, 2015 at 1:04 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Tue, Apr 7, 2015 at 9:10 PM, Brandon Lattin <latt0050 at umn.edu> wrote:
> >
> > I'm working to get a bug report submitted, as well as submitting a
> portion of our eve.json as well.
> >
> > I'm having some trouble getting registered at
> https://redmine.openinfosecfoundation.org. My account activation cookie
> seems to do nothing.
>
> Can you give it a try now?
>
>
> >
> >
> > On Tue, Apr 7, 2015 at 8:06 AM, Peter Manev <petermanev at gmail.com>
> wrote:
> >>
> >> On Tue, Apr 7, 2015 at 2:34 PM, Jay M. <jskier at gmail.com> wrote:
> >> > Interesting, I haven't seen this before. It could be the json library
> >> > (any version info on that, OS, and suricata?). I'm curious to see what
> >> > the payload (or packet) is as well which is likely causing this to
> >> > mush together.
> >> >
> >> > Also, are all the the initial (patient zero) alerts related to SQL or
> >> > DB queries?
> >> >
> >> > --
> >> > Jay
> >> > jskier at gmail.com
> >> >
> >> >
> >> > On Mon, Apr 6, 2015 at 4:41 PM, Brandon Lattin <latt0050 at umn.edu>
> wrote:
> >> >> I've noticed that occasionally alert events are being merged
> together in the
> >> >> EVE file output similar to below:
> >> >>
> >> >>
> {"timestamp":"2015-04-03T16:32:30.349251","flow_id":139548430087264,"in_iface":"snf0","event_type":"alert","vlan":3780,"src_ip":"<redacted>","src_port":59007,"dest_ip":"<redacted>","dest_port":80,"proto":"TCP","payload":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> >
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >> >
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"timestamp":"2015-04-03T16:32:30.640428","flow_id":139550410637872,"in_iface":"snf0","event_type":"alert","vlan":3710,"src_ip":"<redacted>","src_port":63335,"dest_
> >> >
> ip":"<redacted>","dest_port":5432,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2010939,"rev":2,"signature":"ET
> >> >> POLICY Suspicious inbound to PostgreSQL port
> 5432","category":"Potentially
> >> >> Bad
> >> >>
> Traffic","severity":2},"payload":"","stream":0,"packet":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
> >> >>
> >> >> To make thing even more confusing, the same event will merge with
> itself
> >> >> multiple times, as well as merge with completely unrelated events
> (as shown
> >> >> in the example above).
> >> >>
> >> >> I can provide non-redacted examples of this behavior if necessary
> >> >> (off-list).
> >>
> >> Can you please open a bug for that - and at our convenience share()
> >> the example where this could be reproduced?
> >>
> >> >>
> >> >> Is anyone else seeing this behavior?
> >> >>
> >> >> --
> >> >> Brandon Lattin
> >> >> Security Analyst
> >> >> University of Minnesota - University Information Security
> >> >> Office: 612-626-6672
> >> >>
> >> >> _______________________________________________
> >> >> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> >> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >> Training now available: http://suricata-ids.org/training/
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > Training now available: http://suricata-ids.org/training/
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
> >
> >
> > --
> > Brandon Lattin
> > Security Analyst
> > University of Minnesota - University Information Security
> > Office: 612-626-6672
>
>
>
>
> --
> Regards,
> Peter Manev
>
--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150408/b1e8b58e/attachment-0002.html>
More information about the Oisf-users
mailing list