[Oisf-users] again on filestore

Travel Factory S.r.l. mc8647 at mclink.it
Fri Apr 13 11:18:34 UTC 2012


It drove me crazy that several identical .exe downloaded from the web 
had different MD5, also "not-human" downloads like the automatic 
update checks of the software.


Please have a look at this:

# cat file.1237.meta
TIME:              04/06/2012-11:53:29.220774
SRC IP:            <proxy - ip >
DST IP:            <client - ip >
PROTO:             6
SRC PORT:          8080
DST PORT:          1697
HTTP URI: 
         http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
HTTP HOST:         cache.pack.google.com
HTTP REFERER:      <unknown>
FILENAME: 
         /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
MAGIC:             HTML document text
STATE:             CLOSED
SIZE:              333
root at a01:/var/log/suricata/201204131244/files# cat file.1238.meta
TIME:              04/06/2012-11:53:29.220774
SRC IP:            < proxy - ip >
DST IP:            < client - ip >
PROTO:             6
SRC PORT:          8080
DST PORT:          1697
HTTP URI: 
         http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes
HTTP HOST: 
        o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com
HTTP REFERER:      <unknown>
FILENAME: 
         /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
MAGIC:             PE32 executable for MS Windows (GUI) Intel 80386 
32-bit
STATE:             CLOSED
SIZE:              26259



So it seems a client asks for an update and gets a 333 bytes HTML 
answer and then gets the same file from another server and receives 
26259 bytes of a PE32 executable.

The 333 HTML file is actually a 302 http redirect.. why does it get 
dumped ?

The second file is actually a PE32 file but it is truncated. Of about 
15 logged downloads, only 3 dumps were complete.
Do you have similar results ?

Francesco



More information about the Oisf-users mailing list