[Oisf-users] question about http eve log data source/dest flip
jason taylor
jtfas90 at gmail.com
Thu Feb 1 13:59:13 UTC 2018
Hi All,
We started seeing some of our http traffic source and destination data
flipped.
I looked through the redmine tickets and didn't see anything similar so
figured I would check in with folks here to see if anyone else has run
across this.
As far as we can tell it appears to happen when a client is going to
port 443/ssl traffic through our proxies.
flow data source and destination are correct so it appears to maybe be
related to http parsing.
Attached are the suricata build information, json log data and pcap.
Let me know if there is any other information that would be useful.
JT
-------------- next part --------------
http EVE log:
{"timestamp":"2018-01-30T14:28:03.654946-0500","flow_id":1848866504903482,"event_type":"http","src_ip":"10.123.173.114","src_port":8080,"dest_ip":"10.120.128.236","dest_port":53909,"proto":"TCP","tx_id":0,"http":{"hostname":"qagpublic.qg1.apps.qualys.com","url":"qagpublic.qg1.apps.qualys.com:443"}}
tls EVE log:
{"timestamp":"2018-01-30T14:28:03.745300-0500","flow_id":1848866504903482,"pcap_cnt":14,"event_type":"tls","src_ip":"10.120.128.236","src_port":53909,"dest_ip":"10.123.173.114","dest_port":8080,"proto":"TCP","tls":{"subject":"C=US, ST=California, L=Redwood City, O=Qualys, Inc., OU=Production, CN=qagpublic.qg1.apps.qualys.com","issuerdn":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server SHA256 SSL CA","serial":"53:69:DA:29:E6:0B:BD:EE:C5:B1:5A:12:C1:30:4C:1B","fingerprint":"4a:33:62:1b:07:58:d5:78:0f:fb:f4:fc:88:eb:81:f4:e1:c0:8c:2d","sni":"qagpublic.qg1.apps.qualys.com","version":"TLS 1.2","notbefore":"2017-04-26T00:00:00","notafter":"2019-04-27T23:59:59","from_proto":"http"}}
flow EVE log:
{"timestamp":"2018-01-30T14:29:04.078794-0500","flow_id":1848866504903482,"event_type":"flow","src_ip":"10.120.128.236","src_port":53909,"dest_ip":"10.123.173.114","dest_port":8080,"proto":"TCP","app_proto":"tls","app_proto_orig":"http","flow":{"pkts_toserver":12,"pkts_toclient":16,"bytes_toserver":2377,"bytes_toclient":5185,"start":"2018-01-30T14:28:03.592698-0500","end":"2018-01-30T14:29:04.078794-0500","age":61,"state":"closed","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"db","tcp_flags_ts":"db","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"ecn":true,"cwr":true,"state":"closed"}}
stats EVE log:
{"timestamp":"2018-01-31T09:22:26.419520-0500","event_type":"stats","stats":{"uptime":0,"decoder":{"pkts":28,"bytes":7562,"invalid":0,"ipv4":28,"ipv6":0,"ethernet":28,"raw":0,"null":0,"sll":0,"tcp":28,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":270,"max_pkt_size":1384,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":1,"udp":0,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7074592},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":1,"ssn_memcap_drop":0,"pseudo":2,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":1,"synack":1,"rst":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":1146880,"reassembly_memuse":163840},"detect":{"alert":0},"app_layer":{"flow":{"http":1,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":1,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":0}},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"file_store":{"open_files":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}
-------------- next part --------------
This is Suricata version 4.0.3 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: no
Libnet support: yes
Rust support (experimental): no
Experimental Rust parsers: no
Rust strict mode: no
Suricatasc install: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
Host: x86_64-redhat-linux-gnu
Compiler: gcc -std=gnu99 (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: backwards.pcap
Type: application/vnd.tcpdump.pcap
Size: 8034 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180201/ef50c0e6/attachment-0001.pcap>
More information about the Oisf-users
mailing list