[Oisf-users] question about http eve log data source/dest flip

jason taylor jtfas90 at gmail.com
Thu Feb 1 13:59:13 UTC 2018 

Hi All,

We started seeing some of our http traffic source and destination data
flipped. 

I looked through the redmine tickets and didn't see anything similar so
figured I would check in with folks here to see if anyone else has run
across this.

As far as we can tell it appears to happen when a client is going to
port 443/ssl traffic through our proxies.

flow data source and destination are correct so it appears to maybe be
related to http parsing.

Attached are the suricata build information, json log data and pcap.

Let me know if there is any other information that would be useful.

JT

-------------- next part --------------
http EVE log:
{"timestamp":"2018-01-30T14:28:03.654946-0500","flow_id":1848866504903482,"event_type":"http","src_ip":"10.123.173.114","src_port":8080,"dest_ip":"10.120.128.236","dest_port":53909,"proto":"TCP","tx_id":0,"http":{"hostname":"qagpublic.qg1.apps.qualys.com","url":"qagpublic.qg1.apps.qualys.com:443"}}

tls EVE log:
{"timestamp":"2018-01-30T14:28:03.745300-0500","flow_id":1848866504903482,"pcap_cnt":14,"event_type":"tls","src_ip":"10.120.128.236","src_port":53909,"dest_ip":"10.123.173.114","dest_port":8080,"proto":"TCP","tls":{"subject":"C=US, ST=California, L=Redwood City, O=Qualys, Inc., OU=Production, CN=qagpublic.qg1.apps.qualys.com","issuerdn":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server SHA256 SSL CA","serial":"53:69:DA:29:E6:0B:BD:EE:C5:B1:5A:12:C1:30:4C:1B","fingerprint":"4a:33:62:1b:07:58:d5:78:0f:fb:f4:fc:88:eb:81:f4:e1:c0:8c:2d","sni":"qagpublic.qg1.apps.qualys.com","version":"TLS 1.2","notbefore":"2017-04-26T00:00:00","notafter":"2019-04-27T23:59:59","from_proto":"http"}}

flow EVE log:
{"timestamp":"2018-01-30T14:29:04.078794-0500","flow_id":1848866504903482,"event_type":"flow","src_ip":"10.120.128.236","src_port":53909,"dest_ip":"10.123.173.114","dest_port":8080,"proto":"TCP","app_proto":"tls","app_proto_orig":"http","flow":{"pkts_toserver":12,"pkts_toclient":16,"bytes_toserver":2377,"bytes_toclient":5185,"start":"2018-01-30T14:28:03.592698-0500","end":"2018-01-30T14:29:04.078794-0500","age":61,"state":"closed","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"db","tcp_flags_ts":"db","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"ecn":true,"cwr":true,"state":"closed"}}

stats EVE log:
{"timestamp":"2018-01-31T09:22:26.419520-0500","event_type":"stats","stats":{"uptime":0,"decoder":{"pkts":28,"bytes":7562,"invalid":0,"ipv4":28,"ipv6":0,"ethernet":28,"raw":0,"null":0,"sll":0,"tcp":28,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":270,"max_pkt_size":1384,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":1,"udp":0,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7074592},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":1,"ssn_memcap_drop":0,"pseudo":2,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":1,"synack":1,"rst":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":1146880,"reassembly_memuse":163840},"detect":{"alert":0},"app_layer":{"flow":{"http":1,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":1,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":0}},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"file_store":{"open_files":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}

-------------- next part --------------
This is Suricata version 4.0.3 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC 
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  hiredis async with libevent:             yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Hyperscan support:                       no
  Libnet support:                          yes

  Rust support (experimental):             no
  Experimental Rust parsers:               no
  Rust strict mode:                        no

  Suricatasc install:                      yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var

  Host:                                    x86_64-redhat-linux-gnu
  Compiler:                                gcc -std=gnu99 (exec name) / gcc (real)
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic
  PCAP_CFLAGS                               
  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

-------------- next part --------------
A non-text attachment was scrubbed...
Name: backwards.pcap
Type: application/vnd.tcpdump.pcap
Size: 8034 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180201/ef50c0e6/attachment-0001.pcap>

More information about the Oisf-users mailing list