"Gluing" payloads in SecOnion

[spvcxsh1p]

I've encountered a problem with "gluing" SMB and HTTP packets in the network.data.decoded field in the Kibana interface.

I'm using SecurityOnion version 2.3.260. When checking the triggering of Suricata signatures, mainly on SMB and HTTP traffic, I am faced with the fact that the network.data.decoded field contains the Payload of not the packet on which the signature directly triggered, but the Payload of several adjacent packets at once, which makes analysis difficult and does not allow me to understand what the trigger was specifically for.

Here is a specific example:

[email protected][email protected]... ....;.....Up.9.......................................d...x...P.......t.e.s.t...l.o.c.a.l..P.o.l.i.c.i.e.s..{****}..U.s.e.r..P.r.e.f.e.r.e.n.c.e.s..S.c.h.e.d.u.l.e.d.T.a.s.k.s..S.c.h.e.d.u.l.e.d.T.a.s.k.s...x.m.l.8........... ...DH2Q......................P..u..........................MxAc....................QFid................4...RqLs....j9..?.r.. ^.,.P..................R..zr}[email protected][email protected]...$......1.P.............\|[email protected][email protected].!.9.......................................d...x...8.......t.e.s.t...l.o.c.a.l.\.P.o.l.i.c.i.e.s.\.{*****}.\.U.s.e.r.\.P.r.e.f.e.r.e.n.c.e.s.\.R.e.g.i.s.t.r.y.\.R.e.g.i.s.t.r.y...x.m.l.8........... ...DH2Q..................../.P..u..........................MxAc....................QFid................4...RqLs.....Bv.....(([email protected]....... [email protected].,.s..,U.c..Y.1.P..;[email protected]@...........8.......&..................4.T...r..U....#\..>l.9......................................... .x.......0...t.e.s.t...l.o.c.a.l.\.P.o.l.i.c.i.e.s.\.{******}.\.U.s.e.r.\.S.c.r.i.p.t.s.\.L.o.g.o.n.................MxAc....................QFid.......h.SMB@...........8.......'..................4.T...NS..l......t3..).."8...h.............../s..U...)[email protected].......([email protected]@...x)...+\|...9......................................... .x.L.....0...t.e.s.t...l.o.c.a.l.\.s.c.r.i.p.t.s.\._.S.c.r.i.p.t.s.\.t.e.s.t...p.s.1.....................MxAc....................QFid.......h.SMB@...........8.......)[email protected]..#..G..t.C.....N.).."8...h...............0s..U.......U......H.SMB@...................*[email protected]......................................... .x.L.........t.e.s.t...l.o.c.a.l.\.s.c.r.i.p.t.s.\._.S.c.r.i.p.t.s.\.t.e.s.t...p.s.1.....................MxAc.....SMB@...........<[email protected]..<*-.N.y...k.0\i.).."[email protected].......,[email protected]....$. ..e..P.).."8...h...............0s..U.......U......h.SMB@[email protected]...._.E....6O..=.f).."[email protected][email protected][@[email protected]......./................@...T..A........8F.............1s..U.......U......h.SMB@...........8.......0..................4.T.. @)][5,.......%.).."8...h.............../s..U...)[email protected][email protected].....(..&m w..9......................................... .x.L.........t.e.s.t...l.o.c.a.l.\.s.c.r.i.p.t.s.\._.S.c.r.i.p.t.s.\.t.e.s.t...p.s.1.....................MxAc.....SMB@...........<[email protected].<.....:nhm:...).."8...h..................................X.SMB@[email protected].[.8Y....s"[email protected][email protected]......\|.....IRK..89.......................................!...x.......\|...t.e.s.t...l.o.c.a.l.......................MxAc....................QFid................4...RqLs.....9...}..= \..eU.................q..~......K.Q.k........H.SMB@[email protected]......................................... .x.L.........t.e.s.t...l.o.c.a.l.\.s.c.r.i.p.t.s.\._.S.c.r.i.p.t.s.\.t.e.s.t...p.s.1.....................MxAc.....SMB@...........<[email protected]+7I-....a.).."8...h....................................SMB@[email protected].......=.!.%.....5s..U...!...U...`...............SMB@...........<[email protected]!.%.....5s..U

Here is the signature itself, the triggering of which has this network.data.decoded field:

alert tcp any any -> $HOME_NET 445 (msg:"TEST ET POLICY SMB2 NT Create AndX Request For a unknown Powershell .ps1 File (Policies)"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|p|00|s|00|1|00|"; nocase; distance:0; content:"|00 5C 00|P|00|o|00|l|00|i|00|c|00|i|00|e|00|s|00 5C 00|"; nocase; sid:123456; rev:1;)

The signature detects references to .ps1 scripts in the "Policies" folder in SMB traffic.
In this example, there is obviously the payload of several packets at once (this can be seen from several "SMB@" at once).

If we move on to the analysis of the pcap file with this session, we can see that in this session, literally not a single packet had a payload containing both "Policies" and "ps1". (Screenshot 1)

Most often, a similar situation occurs (it is impossible to understand from network.data.decoded what exactly the signature triggered due to the "gluing" of payloads), but when analyzing pcap, a specific packet is found that matches the signature conditions.

Now is a similar example of "gluing" from HTTP traffic (screenshot 2).

Please advise:

1. For what reason does the payload of several packets at once (both in SMB and in HTTP) get into network.data.decoded and how can this be fixed?
2. For what reason does the signature from the first example trigger if there was literally not a single packet in the traffic that met its conditions?

[dougburks]

Hi @spvcxsh1p and welcome to Security Onion Discussions!

I'm using SecurityOnion version 2.3.260.

First, please note that 2.3.260 is over a year old:
https://blog.securityonion.net/2023/06/security-onion-23260-now-available.html

Also note that 2.3 as a whole is past End Of Life and no longer supported:
https://docs.securityonion.net/en/2.4/eol.html

Please migrate to Security Onion 2.4:
https://docs.securityonion.net/en/2.4/appendix.html

Now is a similar example of "gluing" from HTTP traffic (screenshot 2).

Is this perhaps an example of HTTP pipelining?
https://en.wikipedia.org/wiki/HTTP_pipelining

For what reason does the payload of several packets at once (both in SMB and in HTTP) get into network.data.decoded and how can this be fixed?

The network.data.decoded field is simply Suricata's native payload_printable field renamed to network.data.decoded for ECS compliance:
https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/elasticsearch/files/ingest/suricata.alert#L11

You can read more about Suricata's payload_printable field here:
https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#alerts

For what reason does the signature from the first example trigger if there was literally not a single packet in the traffic that met its conditions?

At a quick glance, I do see Policies:

P.o.l.i.c.i.e.s

and ps1:

l.o.c.a.l.\.s.c.r.i.p.t.s.\._.S.c.r.i.p.t.s.\.t.e.s.t...p.s.1

[spvcxsh1p]

Hello! Thanks for your response, but the problem is slightly different.
I may not have expressed it clearly in my question, but I have already managed to solve part of the problem.

The question probably relates more to the Suricata module, and I shouldn't have referred to the SecOnion documentation.
I assumed that Suricata analyzes each packet individually, however, in addition to checking the payload of each packet individually, Suricata also performs "stream" traffic analysis.
In my example with SMB, I embedded the logic of checking the payload of each packet individually in the rule, because the Create Request in SMB packets is usually small and fits in the payload of a single TCP packet.
However, since within the session there were requests to both xml files from Policies and to ps1 scripts - Suricata's stream analysis triggers on this stream, displaying a "glued" view of several payloads from different packets.

If your rule, in its logic, implies the analysis of the payload of only individual packets, and not the stream, then you need to specify:
flow:to_server,established,no_stream;
After adding no_stream, this rule starts triggering only on individual packet payloads, ignoring streams.

I think this information will be useful to someone, as it was for me, so I'll leave it here!