[Oisf-devel] filestore + pcap?

[Peter Manev]

Hi Chris,

I am all for that!
a yaml option on/off type of thing - for saving the rules that generate an
alert with filestore....

On Wed, Jun 20, 2012 at 1:27 PM, Chris Wakelin <c.d.wakelin at reading.ac.uk>wrote:

> I'm trying to track down the mechanism in "/1.class" which I've seen in
> some Blackhole exploit kit landing pages recently and I think is
> probably an exploit for Java 1.6.0_31.
>
> I've got a Suricata rule with "filestore" to watch for the IP addresses
> I've seen the exploit on.
>
> Alas, it seems to be using cookies and possibly other tricks (e.g. a
> recent "Scalaxy" Java exploit I saw needed HTTP no-keepalive set in
> order to download the payload), which aren't captured in the HTTP log or
> .meta files.
>
> I can't run tcpdump alongside as it's using PF_RING + DNA which can only
> allow one application to see the packets (todo: play with PF_RING's
> libzero to serve the same packets to two applications).
>
> Suricata's existing pcap logging logs everything, I think, which I doubt
> we could do at the rate we're receiving packets.
>
> Is it possible to get Suricata's filestore mechanism to save a pcap as
> well (i.e. pcap saved only when matching particular rules)?
>
> Best Wishes,
> Chris
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120620/40764e9f/attachment-0002.html>