Some log events have empty payload and payload_printable

Some of our eve log events have empty payload and payload_printable fields. One example of a rule where we sometimes see this issue is 2011465 - “ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt”.

Most of the time payload and payload_printable have data, so I am led to believe there is something about the traffic causing this behavior. Since we are getting alerts on this rule, even though payload data is missing, it seems Suricata is able to determine the packets contains the content “/bin/sh”. Note too that the rule protocol is HTTP so it seems is also being identified as HTTP. Yet the payload does not get written to the logs.

Every log event I have found with these empty fields also has a packet_info.linktype value of 12, which I believe stands for raw IP.

I do not have a packet capture, but our Zeek sensors get the same data so we have some info about the connection. I looked at three connections there with missing payload and the history is “ShADFT” (reference to translate letters at base/protocols/conn/main.zeek — Book of Zeek (git/master) under “history:”) which indicates that the originator (capital letters) is sending data and a FIN but the responder is not acknowledging. The conn_state in these cases is S2, which means “Connection established and close attempt by originator seen (but no reply from responder)”.

We are currently running Suricata 6.0.2.

You said that you don’t have a packet capture, but do you see any chance to generate one? With an example pcap it’s much easier to debug.

But yes, problematic traffic can be the reason for missing data.