
<div>Hi Francesco,</div>

<div>What are your file-data rules like for this particular case?</div>

<div> </div>

<div>thanks<br><br></div>

<div class="gmail_quote">On Fri, Apr 13, 2012 at 1:18 PM, Travel Factory S.r.l. <span dir="ltr"><<a href="mailto:mc8647@mclink.it">mc8647@mclink.it</a>></span> wrote:<br>

<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><br>It drove me crazy that several identical .exe downloaded from the web<br>had different MD5, also "not-human" downloads like the automatic<br>

update checks of the software.<br><br><br>Please have a look at this:<br><br># cat file.1237.meta<br>TIME:              04/06/2012-11:53:29.220774<br>SRC IP:            <proxy - ip ><br>DST IP:            <client - ip ><br>

PROTO:             6<br>SRC PORT:          8080<br>DST PORT:          1697<br>HTTP URI:<br>        <a href="http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe" target="_blank">http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe</a><br>

HTTP HOST:         <a href="http://cache.pack.google.com/" target="_blank">cache.pack.google.com</a><br>HTTP REFERER:      <unknown><br>FILENAME:<br>        /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe<br>

MAGIC:             HTML document text<br>STATE:             CLOSED<br>SIZE:              333<br>root@a01:/var/log/suricata/201204131244/files# cat file.1238.meta<br>TIME:              04/06/2012-11:53:29.220774<br>SRC IP:            < proxy - ip ><br>

DST IP:            < client - ip ><br>PROTO:             6<br>SRC PORT:          8080<br>DST PORT:          1697<br>HTTP URI:<br>        <a href="http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes" target="_blank">http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes</a><br>

HTTP HOST:<br>       <a href="http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/" target="_blank">o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com</a><br>HTTP REFERER:      <unknown><br>FILENAME:<br>

        /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe<br>MAGIC:             PE32 executable for MS Windows (GUI) Intel 80386<br>32-bit<br>STATE:             CLOSED<br>SIZE:              26259<br><br><br><br>

So it seems a client asks for an update and gets a 333 bytes HTML<br>answer and then gets the same file from another server and receives<br>26259 bytes of a PE32 executable.<br><br>The 333 HTML file is actually a 302 http redirect.. why does it get<br>

dumped ?<br><br>The second file is actually a PE32 file but it is truncated. Of about<br>15 logged downloads, only 3 dumps were complete.<br>Do you have similar results ?<br><br>Francesco<br>_______________________________________________<br>

Oisf-users mailing list<br><a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

</blockquote></div><br><br clear="all"><br>-- <br>

<div>Regards,</div>

<div>Peter Manev</div><br>