[Oisf-users] Eve logs missing payload and payload_printable for http proto alerts

Eric Urban eurban at umn.edu
Thu Nov 8 21:46:48 UTC 2018

I am wondering if anyone else has noticed the following behavior or can
provide advice on what may be the cause of it?

Over the last month and a half we have had a large number of alerts
triggered from HTTP rules that have no payload and no payload_printable
data present in the logged alert.  Both the fields and values in these
alerts are absent from the EVE logs.

This is happening mostly for Emerging Threats rule 2016683 (
http://doc.emergingthreats.net/bin/view/Main/2016683) where about 50% of
the alerts are missing payload/payload_printable data.  That rule has a
content match in http_client_body so we would expect the traffic triggering
the alert to have payload.  There are other HTTP rules (e.g. 2019182,
2011768) where we see missing payload/payload_printable as well but these
do not have nearly as high of a percentage of alerts with this behavior.

Something else worth noting is that we do have metadata logging enabled,
and in about 25% of these cases there is HTTP metadata included for these
alerts that are missing payload/payload_printable data.  I understand the
metadata does not include payload info, but thought it was worth mentioning
since other application layer logging is happening fine in some of these

Also, this behavior looks to have significantly increased after upgrading
from 3.2.5 to 4.0.5.  I suppose it could be possible the type of traffic
triggering these alerts is different so may be a red herring, but the
difference is large enough that I feel it could be a factor.  I noticed too
that in the 3.2.5 alert data we have that there are many cases where
payload_printable is not present but payload is there.  In our 4.0.5 alert
data, I was not able to find such a case.

Eric Urban
University Information Security | Office of Information Technology |
University of Minnesota | umn.edu
eurban at umn.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181108/cdfc71b9/attachment.html>

More information about the Oisf-users mailing list