From 6cd39c5cfb645e06b8b5fcdb3a951f4e5d9c400a Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sat, 1 Jun 2019 07:45:42 -0700 Subject: [PATCH] userguide: Document app-layer anomaly items This changeset expands the anomaly section to include newly added app-layer items. --- doc/userguide/output/eve/eve-json-format.rst | 88 ++++++++++++++++---- 1 file changed, 74 insertions(+), 14 deletions(-) diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index a20c22d853..9bff6d9416 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -112,38 +112,59 @@ the signature. Event type: Anomaly ------------------- -Events with type "anomaly" +Events with type "anomaly" report unexpected conditions such as truncated packets, packets +with invalid values, events that render the packet invalid for further processing or unexpected +behaviors. + +Networks which experience high occurrences of anomalies may experience packet processing degradation +when anomaly logging is enabled. Fields ------ -* "type": Either "packet" or "stream". In rare cases, type will be "unknown". - When this occurs, an additional field named "code" will be present. +* "type": Either "packet", "stream" or "applayer". In rare cases, type will be "unknown". + When this occurs, an additional field named "code" will be present. Events with type + "applayer" are detected by the application layer parsers. * "event" The name of the anomalous event. Events of type "packet" are prefixed with "decoder"; events of type "stream" are prefixed with "stream". -* "code" If "type" is "unknown", than "code" contains the unrecognized event code. +* "code" If "type" is "unknown", than "code" contains the unrecognized event code. Otherwise, + this field is not present. + +The following fields are included when "type" has the value "applayer": -When ```packethdr``` is enabled, the first 32 bytes of the packet are included as a byte64-encoded blob in the main part of -record. +* "layer" Indicates the handling layer that detected the event. This will be "proto_parser" + (protocol parser), "proto_detect" (protocol detection) or "parser." +* "event_no" This is an informational only field indicating the total number of events + detected and the ordinal number of the event being reported. It is presented as "N (of M)" + where "N" is the ordinal number of the event and "M" is the total number of events detected. + +When ``packethdr`` is enabled, the first 32 bytes of the packet are included as a byte64-encoded blob in the main part of +record. This applies to events of "type" "packet" or "stream" only. Examples -------- :: - "anomaly": { - "type": "packet", - "event": "decoder.icmpv4.unknown_type" - } - "anomaly": { "type": "packet", "event": "decoder.udp.pkt_too_small" } - "anomaly": { - "type": "packet", - "event": "decoder.ipv4.wrong_ip_version" + { + "timestamp": "2016-01-17T13:26:30.841742-0800", + "flow_id": 1848021463489450, + "pcap_cnt": 1393890, + "event_type": "anomaly", + "src_ip": "192.168.81.128", + "src_port": 50105, + "dest_ip": "31.148.99.125", + "dest_port": 80, + "proto": "TCP", + "anomaly": { + "type": "stream", + "event": "stream.reassembly_seq_gap" + } } { @@ -165,6 +186,45 @@ Examples } } + { + "timestamp": "2016-01-11T05:10:54.612110-0800", + "flow_id": 412547343494194, + "pcap_cnt": 1391293, + "event_type": "anomaly", + "src_ip": "192.168.122.149", + "src_port": 49324, + "dest_ip": "69.195.71.174", + "dest_port": 443, + "proto": "TCP", + "app_proto": "tls", + "anomaly": { + "type": "applayer", + "event": "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION", + "event_no": "1 (of 1)", + "layer": "proto_detect" + } + } + + { + "timestamp": "2016-01-11T05:10:52.828802-0800", + "flow_id": 201217772575257, + "pcap_cnt": 1391281, + "event_type": "anomaly", + "src_ip": "192.168.122.149", + "src_port": 49323, + "dest_ip": "69.195.71.174", + "dest_port": 443, + "proto": "TCP", + "tx_id": 0, + "app_proto": "tls", + "anomaly": { + "type": "applayer", + "event": "INVALID_RECORD_TYPE", + "event_no": "1 (of 3)", + "layer": "proto_parser" + } + } + Event type: HTTP ----------------