Eve.json, alert_http.json Response data extraction error

version:
image

As shown in the figure, three logs of the same session can be seen above:
Two alert_http.json, one eve.json log

  1. According to the url accessed by the browser: /app/.git/config, it can be seen that the actual request response code is 404, but the response code of alert_http.json is 200, and there is a response body, which is obviously wrong.
  2. Visit: /notice/8.0.0/ios/Version.txt It can be seen that the actual response code is 200, and there is a response body, but the corresponding missing alert_htp.json has no response information, and there is a loss.
  3. In the log of eve.json, the log with the url /app/.git/config also has a response body, and the response code is 200, which is obviously wrong.

Can you help me solve it, thank you here

Can you share the rule that generates the alerts?

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"git敏感文件探测"; flow:established,to_server; http.uri; pcre: "/git/i"; metadata:attack_result 1; flowbits:isnotset,sensitive_file_special_auth; flowbits:set,session.sensitive_file_special; lua:/etc/suricata/check/sensitive_file.lua; sid: 1; gid: 212669;)

The content of sensitive_file.lua is to obtain the url matching the git-related keyword library, and the scheduled release is similar.

What buffer does the lua script inspect?

local helper = require("common/helper")
local logger = require("common/logger")
local cjson = require("cjson")
luaunit = require("luaunit")

-- 当前模块名称
moduleName = "check.sensitive_file"

-- 加载字典库
sensitive_file_keywords = helper.loadFile("sensitive_file_keywords.json")

-- 规则过滤
local sensitiveFileFilterMap = {
    [212669] = "git", -- 对应 sensitive_file_keywords.json中的key
    [214582] = "svn",
}

function errorHandler(err)
    logger.writeLog(moduleName, logger.LogLevel.ERROR, err)
end

function init_data()
    sensitive_file_keywords = cjson.decode(sensitive_file_keywords)
    for k, item in pairs(sensitive_file_keywords) do
        item = helper.convertListToLowercase(item)
    end
end

local ret, _ = xpcall(init_data, errorHandler)
if not ret then
    logger.writeLog(moduleName, logger.LogLevel.ERROR, moduleName .. "初始化失败")
    return 0
end


-- 获取url base路径
function getBaseUrl(http_uri)
    local questionMarkIndex = http_uri:find("?")
    if questionMarkIndex then
        return http_uri:sub(1, questionMarkIndex - 1)
    end
    return http_uri
end

function functionToBeExecuted (http_uri, gid)
    http_uri = string.lower(tostring(http_uri))
    baseUrl = getBaseUrl(http_uri)
    -- 专项检测 使用base url进行识别
    if helper.mapExistKey(sensitiveFileFilterMap, gid) then
        if helper.mapExistKey(sensitive_file_keywords, sensitiveFileFilterMap[gid]) then
            for _, keyword in ipairs(sensitive_file_keywords[sensitiveFileFilterMap[gid]]) do
                if string.find(baseUrl, keyword, 1, true) then  -- 避免正则匹配
                    return 1
                end
            end
        end
    end
    -- other 进行路径包含匹配, 因为涉及到系统敏感文件,可能出现变量拼装的方式探测,则会出现在url params中
    for _, keyword in ipairs(sensitive_file_keywords["other"]) do
        if string.find(http_uri, keyword, 1, true) then
            return 1
        end
    end
    -- 后缀匹配
    for _, keyword in ipairs(sensitive_file_keywords["blackSuffix"]) do
        if string.find(baseUrl, "download", 1, true) then  -- 避免正则匹配, download认为是允许下载
            return 0
        end
        -- 后缀匹配上 同时 不是业务下载目录进行告警
        if baseUrl:sub(-#keyword) == keyword then
            return 1
        end
    end
    return 0
end

function init (args)
    local needs = {}
    needs["http.uri"] = tostring(true)
    if #sensitive_file_keywords["other"] > 0 or #sensitive_file_keywords["blackSuffix"] > 0 then
        helper.printInitCheckModuleLog(moduleName)
    else
        logger.writeLog(moduleName, logger.LogLevel.ERROR, moduleName .. "初始化失败,sensitive_file_keywords 为空")
    end
    return needs
end

function match(args)
    sid, rev, gid = SCRuleIds()
    local ret, result = xpcall(functionToBeExecuted, errorHandler, args["http.uri"], gid)
    if ret then
        return result
    end
    return 0
end

I show the code, using args[“http.uri”]

Are you able to reproduce this with a more up to date snapshot of the master branch or with 7.0.5? The mentioned git hash is about 6 months old.