[Oisf-users] Suricata 4.0.0 EVE output vs Suricata 3.2.0

Tom Peterson tom at cloudshark.org
Thu Aug 3 14:03:32 UTC 2017


Hi Jason,

Thank you for the response! A capture file can be downloaded by going to
the following link and selecting 'Export -> Download File' (Exporting a new
pcapng should work fine):

https://www.cloudshark.org/captures/cab70e09a7dd/

I've attached a suricata config and the rule to this e-mail as well. The
command I used to generate the eve.json file for this was:

suricata -c ./no_pcap_cnt_suricata.yaml -S ./no_pcap_cnt.rule -l ./ -r
threat_sig_2018856.pcapng

For me the resulting eve.json file contains:

$ cat eve.json | jq .
{
  "timestamp": "2016-12-16T21:33:41.898453-0500",
  "flow_id": 804759363442117,
  "event_type": "alert",
  "src_ip": "65.181.112.240",
  "src_port": 80,
  "dest_ip": "172.16.2.96",
  "dest_port": 49191,
  "proto": "TCP",
  "tx_id": 1,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2018856,
    "rev": 10,
    "signature": "ET TROJAN Windows executable base64 encoded",
    "category": "A Network Trojan was Detected",
    "severity": 1
  },
  "app_proto": "http",
  "stream": 1
}

Is this enough for you to reproduce this? I'm happy to collect any other
information for you that I can!

I'll be looking to see if I can find other rule/pcap combinations that have
the same behavior as well.

Thanks,
Tom



On Wed, Aug 2, 2017 at 4:09 PM, Jason Ish <lists at ish.cx> wrote:

> Hi Tom,
>
> On 2017-08-02 12:27 PM, Tom Peterson wrote:
>
>> Hi all,
>>
>> Thanks for all the hard work on Suricata! I've found it quite easy to
>> build, install, and configure on CentOS which I'm sure took a lot of work
>> and it's just been very user friendly to work with!
>>
>> I'm looking at Suricata 4.0.0 and the EVE output that it generates and
>> I'm noticing some differences from Suricata 3.2.0. For example I'm looking
>> at the following rule:
>>
>> ----------------------------------------------
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Windows
>> executable base64 encoded";
>>   flow: established,from_server;
>>   file_data;
>>   content:"TVqQA";
>>   pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs";
>>   reference:md5,49aca228674651cba776be727bdb7e60;
>>   classtype:trojan-activity;
>>   sid:2018856;
>>   rev:10;
>> )
>> ----------------------------------------------
>>
>> In Suricata 4.0.0 I'm noticing that the 'pcap_cnt' and 'payload' values
>> are no longer in the EVE json report.
>>
>> My guess is that this has something to do with the 'file_data' keyword in
>> the rule and the new http and metadata logging options in Suricata 4.0.0.
>> I've played with these options a bit but I haven't found a way to get to
>> these two values in the EVE output.
>>
>> I'm still investigating this but was wondering if anyone could help me
>> understand this difference.
>>
>> I believe the relevant portion of the eve-log config is:
>>
>> Suricata 3.2.0:
>>
>> ----------------------------------------------
>>        types:
>>          - alert:
>>              payload: yes             # enable dumping payload in Base64
>>              # payload-buffer-size: 4kb # max size of payload buffer to
>> output in eve-log
>>              # payload-printable: yes   # enable dumping payload in
>> printable (lossy) format
>>              # packet: yes              # enable dumping of packet
>> (without stream segments)
>>              http: no                # enable dumping of http fields
>>              tls: no                 # enable dumping of tls fields
>>              ssh: no                 # enable dumping of ssh fields
>>              smtp: no                # enable dumping of smtp fields
>>              dnp3: no                # enable dumping of DNP3 fields
>> ----------------------------------------------
>>
>> Suricata 4.0.0:
>>
>> ----------------------------------------------
>>        types:
>>          - alert:
>>              payload: yes             # enable dumping payload in Base64
>>              # payload-buffer-size: 4kb # max size of payload buffer to
>> output in eve-log
>>              # payload-printable: yes   # enable dumping payload in
>> printable (lossy) format
>>              # packet: yes              # enable dumping of packet
>> (without stream segments)
>>              http-body: no           # enable dumping of http body in
>> Base64
>>              http-body-printable: no # enable dumping of http body in
>> printable format
>>              metadata: no              # add L7/applayer fields, flowbit
>> and other vars to the alert
>> ----------------------------------------------
>>
>> Right now I've generated alerts for all of the malware-traffic-analysis
>> pcaps with the ET Open rules on Suricata 3.2.0 and 4.0.0 and going through
>> all of the differences in the EVE output. If anyone is interested I can
>> share my other findings so far.
>>
>
> In all my test cases I have pcap_cnt, and payload. Are you able to bundle
> up a test case that shows this? Rule, pcap, and probably your suricata.yaml?
>
> Thanks,
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eve.json
Type: application/json
Size: 414 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0002.json>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_pcap_cnt_suricata.yaml
Type: application/octet-stream
Size: 63911 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_pcap_cnt.rule
Type: application/octet-stream
Size: 310 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/625205fd/attachment-0005.obj>


More information about the Oisf-users mailing list