NSX IDS IPS Log Lines having inconsistent spacing
search cancel

NSX IDS IPS Log Lines having inconsistent spacing

book

Article ID: 424961

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall VMware vDefend Network Detection and Response

Issue/Introduction

  • IDS logging is showing line space inconsistencies.
  • Inconsistences will increase with heavier workload with IDS.
  • Same inconsistences were observed with Aria syslog.
  • IDS event logs located in /scratch/log/nsx-idps/nsx-idps-events.log.

 

Example snip from log, we can see the space was removed from (Initial Access)
Normal =    [NSX - (Initial Access) Detect CVE-2017-3066 exploitation attempts",]
Incorrect = [NSX - (InitialAccess) Detect CVE-2017-3066 exploitation attempts",]

Example of full log string: Times, Dates, and Signature will be different
IDPS-EVT: [2107200]: {"timestamp":"####-##-##T02:45:39.446052+0000","flow_id":97710859689##522,"pcap_cnt":9606838265,"event_type":"alert","src_ip":"##.##.##.##","src_port":####,"dest_ip":"##.##.##.##","dest_port":####,"proto":"TCP","direction":"to_server","metadata":{"flowbits":["LL.priority_fb"],"flowints":{"client.idx":1}},"nsx_metadata":{"flow_src_ip":"##.##.##.##","flow_dest_ip":"##.##.##.##","flow_dir":1,"rule_id":0002,"profile_id":"######-####-####-####-##########","user_id":0,"vm_uuid":"######-####-####"},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1141169,"rev":####,"signature":"NSX - (InitialAccess) Detect CVE-2017-3066 exploitation attempts","category":"Attempted User PrivilegeGain","severity":2,"source":{"ip":"##.##.##.##","port":#####},"target":{"ip":"##.##.##.##","port":####},"metadata":{"signature_severity":["High"],"impact":["52"],"confidence":["70"],"severity":["75"],"mitre_technique_id":["T1190"],"mitre_tactic_id":["TA0001"],"cvssv3":["9.8"],"attack_target":["Web_Servers"],"flip_endpoints":["False"]}},"http":{"hostname":"##.##.##.##","http_port":####,"url":"\/flex2gateway\/amf","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko\/20100101 Firefox\/56.0","http_method":"POST","protocol":"HTTP\/1.1","length":0,"direction":"upload"},"app_proto":"http","flow"

 

  • It doesn't always affect the spacing between (InitialAccess) log snip.
  • It can affect any IDS event log string by removing space between any portion of the log
  • More examples of IDS event logs with the space removed.

WEB_SERVER Possible Apache Struts OGNL in Dynamic Action
WEB_SERVER Possible Apache StrutsOGNL in Dynamic Action <--------Incorrect Spacing

EXPLOIT Jira Server\/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M2
EXPLOIT Jira Server\/Data Center 8.4.0Remote File Read Attempt (CVE-2021-26086) M2 <--------Incorrect Spacing

Environment

NSX 4.2.X

Cause

Multiple events can arrive within a single message. If the last event does not fit entirely in the buffer, it is split, with the remaining portion delivered in the next message. This event log concatenates the partial event with its second half before writing to the log file. This trims both leading and trailing whitespaces from each message causing inconsistent spacing. 

Resolution

This issue is corrected in 4.2.3.3 release of NSX.
No workaround at this time and recommend upgrade to 4.2.3.3 or later. 

Powered by Wolken Software