[Oisf-users] again on filestore
Peter Manev
petermanev at gmail.com
Fri Apr 13 13:15:11 UTC 2012
Hi Francesco,
What are your file-data rules like for this particular case?
thanks
On Fri, Apr 13, 2012 at 1:18 PM, Travel Factory S.r.l. <mc8647 at mclink.it>wrote:
>
> It drove me crazy that several identical .exe downloaded from the web
> had different MD5, also "not-human" downloads like the automatic
> update checks of the software.
>
>
> Please have a look at this:
>
> # cat file.1237.meta
> TIME: 04/06/2012-11:53:29.220774
> SRC IP: <proxy - ip >
> DST IP: <client - ip >
> PROTO: 6
> SRC PORT: 8080
> DST PORT: 1697
> HTTP URI:
>
> http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
> HTTP HOST: cache.pack.google.com
> HTTP REFERER: <unknown>
> FILENAME:
> /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
> MAGIC: HTML document text
> STATE: CLOSED
> SIZE: 333
> root at a01:/var/log/suricata/201204131244/files# cat file.1238.meta
> TIME: 04/06/2012-11:53:29.220774
> SRC IP: < proxy - ip >
> DST IP: < client - ip >
> PROTO: 6
> SRC PORT: 8080
> DST PORT: 1697
> HTTP URI:
>
> http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes
> HTTP HOST:
> o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com
> HTTP REFERER: <unknown>
> FILENAME:
> /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
> MAGIC: PE32 executable for MS Windows (GUI) Intel 80386
> 32-bit
> STATE: CLOSED
> SIZE: 26259
>
>
>
> So it seems a client asks for an update and gets a 333 bytes HTML
> answer and then gets the same file from another server and receives
> 26259 bytes of a PE32 executable.
>
> The 333 HTML file is actually a 302 http redirect.. why does it get
> dumped ?
>
> The second file is actually a PE32 file but it is truncated. Of about
> 15 logged downloads, only 3 dumps were complete.
> Do you have similar results ?
>
> Francesco
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120413/955489de/attachment-0002.html>
More information about the Oisf-users
mailing list