<div>Hi Francesco,</div>
<div>What are your file-data rules like for this particular case?</div>
<div> </div>
<div>thanks<br><br></div>
<div class="gmail_quote">On Fri, Apr 13, 2012 at 1:18 PM, Travel Factory S.r.l. <span dir="ltr"><<a href="mailto:mc8647@mclink.it">mc8647@mclink.it</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><br>It drove me crazy that several identical .exe downloaded from the web<br>had different MD5, also "not-human" downloads like the automatic<br>
update checks of the software.<br><br><br>Please have a look at this:<br><br># cat file.1237.meta<br>TIME: 04/06/2012-11:53:29.220774<br>SRC IP: <proxy - ip ><br>DST IP: <client - ip ><br>
PROTO: 6<br>SRC PORT: 8080<br>DST PORT: 1697<br>HTTP URI:<br> <a href="http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe" target="_blank">http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe</a><br>
HTTP HOST: <a href="http://cache.pack.google.com/" target="_blank">cache.pack.google.com</a><br>HTTP REFERER: <unknown><br>FILENAME:<br> /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe<br>
MAGIC: HTML document text<br>STATE: CLOSED<br>SIZE: 333<br>root@a01:/var/log/suricata/201204131244/files# cat file.1238.meta<br>TIME: 04/06/2012-11:53:29.220774<br>SRC IP: < proxy - ip ><br>
DST IP: < client - ip ><br>PROTO: 6<br>SRC PORT: 8080<br>DST PORT: 1697<br>HTTP URI:<br> <a href="http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes" target="_blank">http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes</a><br>
HTTP HOST:<br> <a href="http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/" target="_blank">o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com</a><br>HTTP REFERER: <unknown><br>FILENAME:<br>
/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe<br>MAGIC: PE32 executable for MS Windows (GUI) Intel 80386<br>32-bit<br>STATE: CLOSED<br>SIZE: 26259<br><br><br><br>
So it seems a client asks for an update and gets a 333 bytes HTML<br>answer and then gets the same file from another server and receives<br>26259 bytes of a PE32 executable.<br><br>The 333 HTML file is actually a 302 http redirect.. why does it get<br>
dumped ?<br><br>The second file is actually a PE32 file but it is truncated. Of about<br>15 logged downloads, only 3 dumps were complete.<br>Do you have similar results ?<br><br>Francesco<br>_______________________________________________<br>
Oisf-users mailing list<br><a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>
<div>Regards,</div>
<div>Peter Manev</div><br>