[Oisf-users] Suricata 4.0.0 EVE output vs Suricata 3.2.0
Tom Peterson
tom at cloudshark.org
Thu Aug 3 14:03:32 UTC 2017
Hi Jason,
Thank you for the response! A capture file can be downloaded by going to
the following link and selecting 'Export -> Download File' (Exporting a new
pcapng should work fine):
https://www.cloudshark.org/captures/cab70e09a7dd/
I've attached a suricata config and the rule to this e-mail as well. The
command I used to generate the eve.json file for this was:
suricata -c ./no_pcap_cnt_suricata.yaml -S ./no_pcap_cnt.rule -l ./ -r
threat_sig_2018856.pcapng
For me the resulting eve.json file contains:
$ cat eve.json | jq .
{
"timestamp": "2016-12-16T21:33:41.898453-0500",
"flow_id": 804759363442117,
"event_type": "alert",
"src_ip": "65.181.112.240",
"src_port": 80,
"dest_ip": "172.16.2.96",
"dest_port": 49191,
"proto": "TCP",
"tx_id": 1,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2018856,
"rev": 10,
"signature": "ET TROJAN Windows executable base64 encoded",
"category": "A Network Trojan was Detected",
"severity": 1
},
"app_proto": "http",
"stream": 1
}
Is this enough for you to reproduce this? I'm happy to collect any other
information for you that I can!
I'll be looking to see if I can find other rule/pcap combinations that have
the same behavior as well.
Thanks,
Tom
On Wed, Aug 2, 2017 at 4:09 PM, Jason Ish <lists at ish.cx> wrote:
> Hi Tom,
>
> On 2017-08-02 12:27 PM, Tom Peterson wrote:
>
>> Hi all,
>>
>> Thanks for all the hard work on Suricata! I've found it quite easy to
>> build, install, and configure on CentOS which I'm sure took a lot of work
>> and it's just been very user friendly to work with!
>>
>> I'm looking at Suricata 4.0.0 and the EVE output that it generates and
>> I'm noticing some differences from Suricata 3.2.0. For example I'm looking
>> at the following rule:
>>
>> ----------------------------------------------
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Windows
>> executable base64 encoded";
>> flow: established,from_server;
>> file_data;
>> content:"TVqQA";
>> pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs";
>> reference:md5,49aca228674651cba776be727bdb7e60;
>> classtype:trojan-activity;
>> sid:2018856;
>> rev:10;
>> )
>> ----------------------------------------------
>>
>> In Suricata 4.0.0 I'm noticing that the 'pcap_cnt' and 'payload' values
>> are no longer in the EVE json report.
>>
>> My guess is that this has something to do with the 'file_data' keyword in
>> the rule and the new http and metadata logging options in Suricata 4.0.0.
>> I've played with these options a bit but I haven't found a way to get to
>> these two values in the EVE output.
>>
>> I'm still investigating this but was wondering if anyone could help me
>> understand this difference.
>>
>> I believe the relevant portion of the eve-log config is:
>>
>> Suricata 3.2.0:
>>
>> ----------------------------------------------
>> types:
>> - alert:
>> payload: yes # enable dumping payload in Base64
>> # payload-buffer-size: 4kb # max size of payload buffer to
>> output in eve-log
>> # payload-printable: yes # enable dumping payload in
>> printable (lossy) format
>> # packet: yes # enable dumping of packet
>> (without stream segments)
>> http: no # enable dumping of http fields
>> tls: no # enable dumping of tls fields
>> ssh: no # enable dumping of ssh fields
>> smtp: no # enable dumping of smtp fields
>> dnp3: no # enable dumping of DNP3 fields
>> ----------------------------------------------
>>
>> Suricata 4.0.0:
>>
>> ----------------------------------------------
>> types:
>> - alert:
>> payload: yes # enable dumping payload in Base64
>> # payload-buffer-size: 4kb # max size of payload buffer to
>> output in eve-log
>> # payload-printable: yes # enable dumping payload in
>> printable (lossy) format
>> # packet: yes # enable dumping of packet
>> (without stream segments)
>> http-body: no # enable dumping of http body in
>> Base64
>> http-body-printable: no # enable dumping of http body in
>> printable format
>> metadata: no # add L7/applayer fields, flowbit
>> and other vars to the alert
>> ----------------------------------------------
>>
>> Right now I've generated alerts for all of the malware-traffic-analysis
>> pcaps with the ET Open rules on Suricata 3.2.0 and 4.0.0 and going through
>> all of the differences in the EVE output. If anyone is interested I can
>> share my other findings so far.
>>
>
> In all my test cases I have pcap_cnt, and payload. Are you able to bundle
> up a test case that shows this? Rule, pcap, and probably your suricata.yaml?
>
> Thanks,
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eve.json
Type: application/json
Size: 414 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0002.json>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_pcap_cnt_suricata.yaml
Type: application/octet-stream
Size: 63911 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_pcap_cnt.rule
Type: application/octet-stream
Size: 310 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0005.obj>
More information about the Oisf-users
mailing list