[Oisf-devel] filestore + pcap?
Chris Wakelin
c.d.wakelin at reading.ac.uk
Wed Jun 20 11:27:11 UTC 2012
I'm trying to track down the mechanism in "/1.class" which I've seen in
some Blackhole exploit kit landing pages recently and I think is
probably an exploit for Java 1.6.0_31.
I've got a Suricata rule with "filestore" to watch for the IP addresses
I've seen the exploit on.
Alas, it seems to be using cookies and possibly other tricks (e.g. a
recent "Scalaxy" Java exploit I saw needed HTTP no-keepalive set in
order to download the payload), which aren't captured in the HTTP log or
.meta files.
I can't run tcpdump alongside as it's using PF_RING + DNA which can only
allow one application to see the packets (todo: play with PF_RING's
libzero to serve the same packets to two applications).
Suricata's existing pcap logging logs everything, I think, which I doubt
we could do at the rate we're receiving packets.
Is it possible to get Suricata's filestore mechanism to save a pcap as
well (i.e. pcap saved only when matching particular rules)?
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list