Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Negative Integer Bug #13425

Closed
ozinfotech opened this issue May 11, 2022 · 4 comments
Closed

Negative Integer Bug #13425

ozinfotech opened this issue May 11, 2022 · 4 comments
Labels
module/analysis/logtest reporter/community type/bug Something isn't working

Comments

@ozinfotech
Copy link

ozinfotech commented May 11, 2022
edited by Dwordcito
Loading

Wazuh version Component Action type
4.3.0 Decoders Error

Description

I am running a logtest (/var/ossec/bin/wazuh-logtest) to verify that json is imported properly. One of the json pairs has a large negative integer that doesn't keep its original value after decoding. It goes through pre-decoding fine.

I've tried with three different tests of the value:

  • -9223372036854775806
  • -9223372036854775807
  • -9223372036854775776

All three return the following value (which is also -2^63):

  • -9223372036854775808.000000

Service/Product/Module

wazuh-logtest

Errors/Improvements

Current results

{ "Id": 256, "Version": 0, "Qualifiers": null, "Level": 4, "Task": 1, "Opcode": 0, "Keywords": -9223372036854775807, "RecordId": 8, "ProviderName": "Microsoft-Windows-DNSServer", "ProviderId": "eb79061a-a566-4698-9119-3ed2807060e7", "LogName": null, "ProcessId": 2684, "ThreadId": 5056, "MachineName": "machine.domain.local", "UserId": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-5-18" }, "TimeCreated": "\/Date(1652209503805)\/", "ActivityId": null, "RelatedActivityId": null, "ContainerLog": "C:\\Windows\\TEMP\\Microsoft-Windows-DNSServerJnalytical-PID5148.etl", "MatchedQueryIds": [ ], "Bookmark": { }, "LevelDisplayName": "Information", "OpcodeDisplayName": "Info", "TaskDisplayName": "LOOK_UP", "KeywordsDisplayNames": [ ], "Properties": [ "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty" ], "Message": "QUERY_RECEIVED: TCP=0; InterfaceIP=192.168.74.22; Source=192.168.74.11; RD=1; QNAME=chat.google.com.; QTYPE=1; XID=58802; Port=57475; Flags=256; AdditionalInfo = VirtualizationInstanceOptionValue: 178; GUID=1" }

**Phase 1: Completed pre-decoding.
        full event: '{ "Id": 256, "Version": 0, "Qualifiers": null, "Level": 4, "Task": 1, "Opcode": 0, "Keywords": -9223372036854775807, "RecordId": 8, "ProviderName": "Microsoft-Windows-DNSServer", "ProviderId": "eb79061a-a566-4698-9119-3ed2807060e7", "LogName": null, "ProcessId": 2684, "ThreadId": 5056, "MachineName": "machine.domain.local", "UserId": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-5-18" }, "TimeCreated": "\/Date(1652209503805)\/", "ActivityId": null, "RelatedActivityId": null, "ContainerLog": "C:\\Windows\\TEMP\\Microsoft-Windows-DNSServerJnalytical-PID5148.etl", "MatchedQueryIds": [ ], "Bookmark": { }, "LevelDisplayName": "Information", "OpcodeDisplayName": "Info", "TaskDisplayName": "LOOK_UP", "KeywordsDisplayNames": [ ], "Properties": [ "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty" ], "Message": "QUERY_RECEIVED: TCP=0; InterfaceIP=192.168.74.22; Source=192.168.74.11; RD=1; QNAME=chat.google.com.; QTYPE=1; XID=58802; Port=57475; Flags=256; AdditionalInfo = VirtualizationInstanceOptionValue: 178; GUID=1" }'

**Phase 2: Completed decoding.
        name: 'json'
        ActivityId: 'null'
        ContainerLog: 'C:\Windows\TEMP\Microsoft-Windows-DNSServerJnalytical-PID5148.etl'
        Id: '256'
        Keywords: '-9223372036854775808.000000'
        KeywordsDisplayNames: '[]'
        Level: '4'
        LevelDisplayName: 'Information'
        LogName: 'null'
        MachineName: 'machine.domain.local'
        MatchedQueryIds: '[]'
        Message: 'QUERY_RECEIVED: TCP=0; InterfaceIP=192.168.74.22; Source=192.168.74.11; RD=1; QNAME=chat.google.com.; QTYPE=1; XID=58802; Port=57475; Flags=256; AdditionalInfo = VirtualizationInstanceOptionValue: 178; GUID=1'
        Opcode: '0'
        OpcodeDisplayName: 'Info'
        ProcessId: '2684'
        Properties: '['System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty', 'System.Diagnostics.Eventing.Reader.EventProperty']'
        ProviderId: 'eb79061a-a566-4698-9119-3ed2807060e7'
        ProviderName: 'Microsoft-Windows-DNSServer'
        Qualifiers: 'null'
        RecordId: '8'
        RelatedActivityId: 'null'
        Task: '1'
        TaskDisplayName: 'LOOK_UP'
        ThreadId: '5056'
        TimeCreated: '/Date(1652209503805)/'
        UserId.AccountDomainSid: 'null'
        UserId.BinaryLength: '12'
        UserId.Value: 'S-1-5-18'
        Version: '0'

Expected results

Keywords: '-9223372036854775807'

Resources

Log source / integration

These are DNS logs from a Windows DNS server, saved in json format.

Log reference

This is a different log, but same format. The other was purged during maintenance.

Log examples

These have all been converted to one line to paste into wazuh-logtest.

{ "Id": 256, "Version": 0, "Qualifiers": null, "Level": 4, "Task": 1, "Opcode": 0, "Keywords": -9223372036854775807, "RecordId": 8, "ProviderName": "Microsoft-Windows-DNSServer", "ProviderId": "eb79061a-a566-4698-9119-3ed2807060e7", "LogName": null, "ProcessId": 2684, "ThreadId": 5056, "MachineName": "machine.domain.local", "UserId": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-5-18" }, "TimeCreated": "\/Date(1652209503805)\/", "ActivityId": null, "RelatedActivityId": null, "ContainerLog": "C:\\Windows\\TEMP\\Microsoft-Windows-DNSServerJnalytical-PID5148.etl", "MatchedQueryIds": [ ], "Bookmark": { }, "LevelDisplayName": "Information", "OpcodeDisplayName": "Info", "TaskDisplayName": "LOOK_UP", "KeywordsDisplayNames": [ ], "Properties": [ "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty" ], "Message": "QUERY_RECEIVED: TCP=0; InterfaceIP=192.168.74.22; Source=192.168.74.11; RD=1; QNAME=chat.google.com.; QTYPE=1; XID=58802; Port=57475; Flags=256; AdditionalInfo = VirtualizationInstanceOptionValue: 178; GUID=1" }
{ "Id": 257, "Version": 0, "Qualifiers": null, "Level": 4, "Task": 1, "Opcode": 0, "Keywords": -9223372036854775806, "RecordId": 9, "ProviderName": "Microsoft-Windows-DNSServer", "ProviderId": "eb79061a-a566-4698-9119-3ed2807060e7", "LogName": null, "ProcessId": 2684, "ThreadId": 5056, "MachineName": "machine.domain.local", "UserId": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-5-18" }, "TimeCreated": "\/Date(1652209503805)\/", "ActivityId": null, "RelatedActivityId": null, "ContainerLog": "C:\\Windows\\TEMP\\Microsoft-Windows-DNSServerJnalytical-PID5148.etl", "MatchedQueryIds": [ ], "Bookmark": { }, "LevelDisplayName": "Information", "OpcodeDisplayName": "Info", "TaskDisplayName": "LOOK_UP", "KeywordsDisplayNames": [ ], "Properties": [ "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty" ], "Message": "RESPONSE_SUCCESS: TCP=0; InterfaceIP=192.168.74.22; Destination=192.168.74.11; AA=0; AD=0; QNAME=chat.google.com.; QTYPE=1; XID=58802; DNSSEC=0; RCODE=0; Port=57475; Flags=33152; Scope=Default; Zone=..Cache; PolicyName=NULL; AdditionalInfo= 178; GUID=129" }
{ "Id": 256, "Version": 0, "Qualifiers": null, "Level": 4, "Task": 1, "Opcode": 0, "Keywords": -9223372036854775807, "RecordId": 10, "ProviderName": "Microsoft-Windows-DNSServer", "ProviderId": "eb79061a-a566-4698-9119-3ed2807060e7", "LogName": null, "ProcessId": 2684, "ThreadId": 5056, "MachineName": "machine.domain.local", "UserId": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-5-18" }, "TimeCreated": "\/Date(1652209505083)\/", "ActivityId": null, "RelatedActivityId": null, "ContainerLog": "C:\\Windows\\TEMP\\Microsoft-Windows-DNSServerJnalytical-PID5148.etl", "MatchedQueryIds": [ ], "Bookmark": { }, "LevelDisplayName": "Information", "OpcodeDisplayName": "Info", "TaskDisplayName": "LOOK_UP", "KeywordsDisplayNames": [ ], "Properties": [ "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty" ], "Message": "QUERY_RECEIVED: TCP=0; InterfaceIP=192.168.74.22; Source=192.168.74.48; RD=1; QNAME=ctldl.windowsupdate.com.; QTYPE=1; XID=16453; Port=60643; Flags=256; AdditionalInfo = VirtualizationInstanceOptionValue: 69; GUID=1" }
{ "Id": 261, "Version": 0, "Qualifiers": null, "Level": 4, "Task": 2, "Opcode": 0, "Keywords": -9223372036854775776, "RecordId": 13, "ProviderName": "Microsoft-Windows-DNSServer", "ProviderId": "eb79061a-a566-4698-9119-3ed2807060e7", "LogName": null, "ProcessId": 2684, "ThreadId": 5056, "MachineName": "machine.domain.local", "UserId": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-5-18" }, "TimeCreated": "\/Date(1652209505147)\/", "ActivityId": null, "RelatedActivityId": null, "ContainerLog": "C:\\Windows\\TEMP\\Microsoft-Windows-DNSServerJnalytical-PID5148.etl", "MatchedQueryIds": [ ], "Bookmark": { }, "LevelDisplayName": "Information", "OpcodeDisplayName": "Info", "TaskDisplayName": "RECURSE_QUERY", "KeywordsDisplayNames": [ ], "Properties": [ "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty" ], "Message": "RECURSE_RESPONSE_IN: TCP=0; Source=192.168.74.1; InterfaceIP=0.0.0.0; AA=0; AD=0; QNAME=wu-bg-shim.trafficmanager.net.; QTYPE=1; XID=28941; RemoteQueriesSent=1; Port=0; Flags=33152; RecursionScope=.; CacheScope=Default; AdditionalInfo = VirtualizationInstance: 13; GUID=129" }
{ "Id": 257, "Version": 0, "Qualifiers": null, "Level": 4, "Task": 1, "Opcode": 0, "Keywords": -9223372036854775806, "RecordId": 15, "ProviderName": "Microsoft-Windows-DNSServer", "ProviderId": "eb79061a-a566-4698-9119-3ed2807060e7", "LogName": null, "ProcessId": 2684, "ThreadId": 5056, "MachineName": "machine.domain.local", "UserId": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-5-18" }, "TimeCreated": "\/Date(1652209505148)\/", "ActivityId": null, "RelatedActivityId": null, "ContainerLog": "C:\\Windows\\TEMP\\Microsoft-Windows-DNSServerJnalytical-PID5148.etl", "MatchedQueryIds": [ ], "Bookmark": { }, "LevelDisplayName": "Information", "OpcodeDisplayName": "Info", "TaskDisplayName": "LOOK_UP", "KeywordsDisplayNames": [ ], "Properties": [ "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty", "System.Diagnostics.Eventing.Reader.EventProperty" ], "Message": "RESPONSE_SUCCESS: TCP=0; InterfaceIP=192.168.74.22; Destination=192.168.74.48; AA=0; AD=0; QNAME=ctldl.windowsupdate.com.; QTYPE=1; XID=16453; DNSSEC=0; RCODE=0; Port=60643; Flags=33152; Scope=Default; Zone=..Cache; PolicyName=NULL; AdditionalInfo= 69; GUID=129" }

Threats and compliance

N/A
@ozinfotech
Copy link
Author

I'm not sure how to change the label. Sorry about that.

@Dwordcito
Copy link
Member

Hi @ozinfotech I hope you are well! It's good that you write us here!

Based on the library we use to manage json (cJSON), the maximum level of precision is 53 bits, this is due to a backward compatibility.

As for the .000000, this is because any number greater than 2^31 will be interpreted as a double, so the sample will be an IEEE float.

DaveGamble/cJSON#151
DaveGamble/cJSON#14

Is there a possibility that this number comes as a string?

@ozinfotech
Copy link
Author

I've tried to convert it to a string from the hashtable in PowerShell, but it is beyond my capabilities at the moment. I'll keep working on it. What you mentioned makes sense.

@ozinfotech
Copy link
Author

Got it switched to a string. Thanks again!

@jctello jctello mentioned this issue Jun 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
module/analysis/logtest reporter/community type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jnasselle @Dwordcito @ozinfotech