[Oisf-devel] filestore + pcap?
Victor Julien
victor at inliniac.net
Wed Jun 20 15:47:33 UTC 2012
On 06/20/2012 01:27 PM, Chris Wakelin wrote:
> I'm trying to track down the mechanism in "/1.class" which I've seen in
> some Blackhole exploit kit landing pages recently and I think is
> probably an exploit for Java 1.6.0_31.
>
> I've got a Suricata rule with "filestore" to watch for the IP addresses
> I've seen the exploit on.
>
> Alas, it seems to be using cookies and possibly other tricks (e.g. a
> recent "Scalaxy" Java exploit I saw needed HTTP no-keepalive set in
> order to download the payload), which aren't captured in the HTTP log or
> .meta files.
>
> I can't run tcpdump alongside as it's using PF_RING + DNA which can only
> allow one application to see the packets (todo: play with PF_RING's
> libzero to serve the same packets to two applications).
>
> Suricata's existing pcap logging logs everything, I think, which I doubt
> we could do at the rate we're receiving packets.
>
> Is it possible to get Suricata's filestore mechanism to save a pcap as
> well (i.e. pcap saved only when matching particular rules)?
Not possible right now, no.
We get this request every now and then, so I guess it's worth thinking
about.
Some random thoughts:
- a pcap would not have the TCP 3whs unless we do buffer packets for
really long periods -- guess we could also fake them
- tag keyword may be helpful already? Pkts then go into u2 so barnyard2
would have to dump it to pcap
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list