Forensic mode for full logging

Developers
1

I’ve been working on a forensic mode for Suricata. This is a set of options that can be used to analyze data (mostly pcap files as it is really verbose) and get as much data as possible.

The first one adds an option to log all HTTP headers in alert. As the alert is sometime on specific headers value, getting the all HTTP headers view in alert will help the analyst to understand the events.

The second feature adds HTTP body logging in HTTP events. This can be useful for forensic usage of Suricata.

The third feature adds stream data or payload logging to all NSM events. It is aiming at providing complete data for forensic study or for signature writers.

The output for an HTTP event looks like:

  "stream": {
    "server": {
      "payload": "SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDIyIE1hciAyMDE3IDA5OjExOjIyIEdNVA0KU2VydmVyOiBBcGFjaGUvMi40LjI1IChXaW4zMikgT3BlblNTTC8xLjAuMmogUEhQLzUuNi4zMA0KWC1Qb3dlcmVkLUJ5OiBQSFAvNS42LjMwDQpDb250ZW50LUxlbmd0aDogMjQ0DQpLZWVwLUFsaXZlOiB0aW1lb3V0PTUsIG1heD0xMDANCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PVVURi04DQoNCjxiciAvPgo8Yj5Ob3RpY2U8L2I+OiAgVW5kZWZpbmVkIGluZGV4OiB2cyBpbiA8Yj5DOlx4YW1wcFxodGRvY3NcVG9ueV9TdGFyazJccG9zdC5waHA8L2I+IG9uIGxpbmUgPGI+MTE8L2I+PGJyIC8+CjxiciAvPgo8Yj5Ob3RpY2U8L2I+OiAgVW5kZWZpbmVkIHZhcmlhYmxlOiBzdWNjZXNzT1VkYW5nZXIgaW4gPGI+QzpceGFtcHBcaHRkb2NzXFRvbnlfU3RhcmsyXHBvc3QucGhwPC9iPiBvbiBsaW5lIDxiPjQ3PC9iPjxiciAvPgo=",
      "payload_printable": "HTTP/1.1 200 OK\r\nDate: Wed, 22 Mar 2017 09:11:22 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nContent-Length: 244\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<br />\n<b>Notice</b>:  Undefined index: vs in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>11</b><br />\n<br />\n<b>Notice</b>:  Undefined variable: successOUdanger in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>47</b><br />\n"
    },
    "client": {
      "payload": "cGx1Z2luPVNlbStQbHVnaW4md2luZG93cz1XaW5kb3dzKzcrRW50ZXJwcmlzZSZ1c2VyPUFQSUFSWTctUEMmYXY9Tm8rQW50aXZpcnVzJmJzPU1pY3Jvc29mdCtFZGdl",
      "payload_printable": "plugin=Sem+Plugin&windows=Windows+7+Enterprise&user=APIARY7-PC&av=No+Antivirus&bs=Microsoft+Edge"
    }
  },
  "http": {
    "hostname": "contador.visitante-group-new.cf",
    "http_port": 8080,
    "url": "/Tony_Stark2/post.php",
    "http_user_agent": "Mozilla/3.0 (compatible; Indy Library)",
    "http_content_type": "text/html",
    "http_method": "POST",
    "protocol": "HTTP/1.0",
    "status": 200,
    "length": 244,
    "request_body": "cGx1Z2luPVNlbStQbHVnaW4md2luZG93cz1XaW5kb3dzKzcrRW50ZXJwcmlzZSZ1c2VyPUFQSUFSWTctUEMmYXY9Tm8rQW50aXZpcnVzJmJzPU1pY3Jvc29mdCtFZGdl",
    "response_body": "PGJyIC8+CjxiPk5vdGljZTwvYj46ICBVbmRlZmluZWQgaW5kZXg6IHZzIGluIDxiPkM6XHhhbXBwXGh0ZG9jc1xUb255X1N0YXJrMlxwb3N0LnBocDwvYj4gb24gbGluZSA8Yj4xMTwvYj48YnIgLz4KPGJyIC8+CjxiPk5vdGljZTwvYj46ICBVbmRlZmluZWQgdmFyaWFibGU6IHN1Y2Nlc3NPVWRhbmdlciBpbiA8Yj5DOlx4YW1wcFxodGRvY3NcVG9ueV9TdGFyazJccG9zdC5waHA8L2I+IG9uIGxpbmUgPGI+NDc8L2I+PGJyIC8+Cg==",
    "request_body_printable": "plugin=Sem+Plugin&windows=Windows+7+Enterprise&user=APIARY7-PC&av=No+Antivirus&bs=Microsoft+Edge",
    "response_body_printable": "<br />\n<b>Notice</b>:  Undefined index: vs in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>11</b><br />\n<br />\n<b>Notice</b>:  Undefined variable: successOUdanger in <b>C:\\xampp\\htdocs\\Tony_Stark2\\post.php</b> on line <b>47</b><br />\n"
  }
}

For a protocol without stream like DNS we have:

{
  "timestamp": "2016-10-15T08:58:37.457573+0200",
  "flow_id": 1166971934473061,
  "pcap_cnt": 4103,
  "event_type": "dns",
  "proto": "UDP",
  "payload": "Fw8BAAABAAAAAAAAA3d3dwVkaXZhcgJpcgAAAQAB",
  "payload_printable": ".............www.divar.ir.....",
  "dns": {
    "type": "query",
    "id": 5903,
    "rrname": "www.divar.ir",
    "rrtype": "A",
    "tx_id": 0
  }
}

The Pull Request is here: RFC: Forensic mode v1.2 by regit · Pull Request #4543 · OISF/suricata · GitHub

Feel free to comment and add suggestions.

7 Likes
2

When cloning your pull request, are there any flags i need to specifically set when running ./configure to make sure forensics mode is enabled? or its toggled within the yaml config?

3

There are runtime configuration options for forensic mode (see doc/userguide/output/eve/eve-json-format.rst) but no configure options.

4

Updated pull request on top of JSON with rust code: https://github.com/OISF/suricata/pull/5016