[Oisf-devel] filestore + pcap?

David.R.Wharton at regions.com David.R.Wharton at regions.com
Wed Jun 20 15:56:43 UTC 2012


+1 for this :)

https://redmine.openinfosecfoundation.org/issues/384
https://redmine.openinfosecfoundation.org/issues/385

-David



From:   Victor Julien <victor at inliniac.net>
To:     oisf-devel at openinfosecfoundation.org
Date:   06/20/2012 10:47 AM
Subject:        Re: [Oisf-devel] filestore + pcap?
Sent by:        oisf-devel-bounces at openinfosecfoundation.org



On 06/20/2012 01:27 PM, Chris Wakelin wrote:
> I'm trying to track down the mechanism in "/1.class" which I've seen in
> some Blackhole exploit kit landing pages recently and I think is
> probably an exploit for Java 1.6.0_31.
> 
> I've got a Suricata rule with "filestore" to watch for the IP addresses
> I've seen the exploit on.
> 
> Alas, it seems to be using cookies and possibly other tricks (e.g. a
> recent "Scalaxy" Java exploit I saw needed HTTP no-keepalive set in
> order to download the payload), which aren't captured in the HTTP log or
> .meta files.
> 
> I can't run tcpdump alongside as it's using PF_RING + DNA which can only
> allow one application to see the packets (todo: play with PF_RING's
> libzero to serve the same packets to two applications).
> 
> Suricata's existing pcap logging logs everything, I think, which I doubt
> we could do at the rate we're receiving packets.
> 
> Is it possible to get Suricata's filestore mechanism to save a pcap as
> well (i.e. pcap saved only when matching particular rules)?

Not possible right now, no.

We get this request every now and then, so I guess it's worth thinking
about.

Some random thoughts:

- a pcap would not have the TCP 3whs unless we do buffer packets for
really long periods -- guess we could also fake them

- tag keyword may be helpful already? Pkts then go into u2 so barnyard2
would have to dump it to pcap

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Oisf-devel mailing list
Oisf-devel at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120620/73b5c947/attachment-0002.html>


More information about the Oisf-devel mailing list