[Oisf-users] Eve logs missing payload and payload_printable for http proto alerts

Peter Manev petermanev at gmail.com
Thu Jan 17 12:26:28 UTC 2019 

On Thu, Nov 8, 2018 at 10:47 PM Eric Urban <eurban at umn.edu> wrote:
>
> I am wondering if anyone else has noticed the following behavior or can provide advice on what may be the cause of it?
>
> Over the last month and a half we have had a large number of alerts triggered from HTTP rules that have no payload and no payload_printable data present in the logged alert.  Both the fields and values in these alerts are absent from the EVE logs.
>
> This is happening mostly for Emerging Threats rule 2016683 (http://doc.emergingthreats.net/bin/view/Main/2016683) where about 50% of the alerts are missing payload/payload_printable data.  That rule has a content match in http_client_body so we would expect the traffic triggering the alert to have payload.  There are other HTTP rules (e.g. 2019182, 2011768) where we see missing payload/payload_printable as well but these do not have nearly as high of a percentage of alerts with this behavior.
>
> Something else worth noting is that we do have metadata logging enabled, and in about 25% of these cases there is HTTP metadata included for these alerts that are missing payload/payload_printable data.  I understand the metadata does not include payload info, but thought it was worth mentioning since other application layer logging is happening fine in some of these cases.
>
> Also, this behavior looks to have significantly increased after upgrading from 3.2.5 to 4.0.5.  I suppose it could be possible the type of traffic triggering these alerts is different so may be a red herring, but the difference is large enough that I feel it could be a factor.  I noticed too that in the 3.2.5 alert data we have that there are many cases where payload_printable is not present but payload is there.  In our 4.0.5 alert data, I was not able to find such a case.
>

If this is the case(such a large - 50% diff with that sig)  with 4.1.2
would it be possible to reproduce it with a pcap ?

Thank you




-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list