[Oisf-users] Query about suri and ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript - 2015708

Sun Oct 19 22:24:13 UTC 2014

Hi

I am running suricata and getting hits on this rule.  Suri logs a bunch of packets for each ‘alert’:

SID	CID		Timestamp		Signature		IP Src		IP Dst		Proto	Length
2	16881814	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881815	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881816	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881817	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881818	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881819	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881820	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881821	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881822	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881823	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881824	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881825	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881826	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881827	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881828	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881829	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881830	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881831	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881832	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	813	

Which appears to be a whole download.  First packet contains:

HTTP/1.1 200 OK
Date: Sat, 18 Oct 2014 22:32:25 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-CFHash: "c64b89f1083c053b95b24aef823a08ad"
Last-Modified: Wed, 07 Dec 2011 10:04:16 GMT
X-CF3: H
X-CF2: H
Server: CFS 0623
X-CF1: 11696:fA.syd1:cf:cacheA.syd1-v:H
Content-Encoding: gzip

<binary data>

subsequent packets contain binary data.

I conclude that suri is decoding the gzipped file and finding offending string then flushing all the packets to the unified file.

Is this right?  If so with a little bit of work I could extract the file from the database.

What is confusing me is that other captures are all binary and don’t start with the headers.  What is going on here?

Russell