[Oisf-users] again on filestore

Marcos Rodriguez marcos.e.rodriguez at gmail.com
Fri Apr 20 18:09:23 UTC 2012 

On Fri, Apr 13, 2012 at 9:15 AM, Peter Manev <petermanev at gmail.com> wrote:

> Hi Francesco,
> What are your file-data rules like for this particular case?
>
> thanks
>
> On Fri, Apr 13, 2012 at 1:18 PM, Travel Factory S.r.l. <mc8647 at mclink.it>wrote:
>
>>
>> It drove me crazy that several identical .exe downloaded from the web
>> had different MD5, also "not-human" downloads like the automatic
>> update checks of the software.
>>
>>
>> Please have a look at this:
>>
>> # cat file.1237.meta
>> TIME:              04/06/2012-11:53:29.220774
>> SRC IP:            <proxy - ip >
>> DST IP:            <client - ip >
>> PROTO:             6
>> SRC PORT:          8080
>> DST PORT:          1697
>> HTTP URI:
>>
>> http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
>> HTTP HOST:         cache.pack.google.com
>> HTTP REFERER:      <unknown>
>> FILENAME:
>>         /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
>> MAGIC:             HTML document text
>> STATE:             CLOSED
>> SIZE:              333
>> root at a01:/var/log/suricata/201204131244/files# cat file.1238.meta
>> TIME:              04/06/2012-11:53:29.220774
>> SRC IP:            < proxy - ip >
>> DST IP:            < client - ip >
>> PROTO:             6
>> SRC PORT:          8080
>> DST PORT:          1697
>> HTTP URI:
>>
>> http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes
>> HTTP HOST:
>>        o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com
>> HTTP REFERER:      <unknown>
>> FILENAME:
>>         /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
>> MAGIC:             PE32 executable for MS Windows (GUI) Intel 80386
>> 32-bit
>> STATE:             CLOSED
>> SIZE:              26259
>>
>>
>>
>> So it seems a client asks for an update and gets a 333 bytes HTML
>> answer and then gets the same file from another server and receives
>> 26259 bytes of a PE32 executable.
>>
>> The 333 HTML file is actually a 302 http redirect.. why does it get
>> dumped ?
>>
>> The second file is actually a PE32 file but it is truncated. Of about
>> 15 logged downloads, only 3 dumps were complete.
>> Do you have similar results ?
>>
>> Francesco
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
Hi Everyone,

I wanted to piggyback on this topic and add some observations I've noticed
today:

While I haven't checked MD5 summing yet, I have noticed that with just one
rule specifying Windows PE's for extraction, I'm also getting JPEG, CSS,
and other files.

Here's a copy of my rule (blatant rip-off of Victor's example
here<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction>
):

alert http any any -> any any (msg: "EXE Detected over HTTP";
filemagic:"executable for MS Windows"; fileext:"exe"; filestore; sid:
2000000; rev:1;)

Here are my yaml settings pertaining to file extraction:

- file-store:
      enabled: yes       # set to yes to enable
      log-dir: /data/suricata/files    # directory to store the files
      force-magic: no   # force logging magic on all stored files
      force-md5: yes     # force logging of md5 checksums

magic-file: /usr/share/file/magic

default-rule-path: /etc/suricata/rules
rule-files:
- file-extract.rules  (This is the only rule file enabled, and it contains
only the rule I listed above.)

Here is some output as an example:

# file file.[0-9][0-9][0-9]

file.206: JPEG image data, JFIF standard 1.01
file.207: JPEG image data, JFIF standard 1.01
file.208: GIF image data, version 89a, 1 x 1
file.209: HTML document text
file.210: GIF image data, version 89a, 1 x 1
file.211: ASCII text, with no line terminators
file.212: UTF-8 Unicode text, with very long lines, with no line terminators
file.213: GIF image data, version 89a, 1 x 1
file.214: GIF image data, version 89a, 1 x 1
file.215: GIF image data, version 89a, 1 x 1
file.216: XML 1.0 document text
file.217: ASCII text, with very long lines, with no line terminators
file.218: ASCII text, with no line terminators
file.219: PNG image data, 256 x 256, 8-bit colormap, non-interlaced
file.272: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
file.273: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
--------------------------------------------------------------------------------------------------------------

I apologize if this has been covered and I just missed the proper search
for the answer.  Any ideas?  Don't get me wrong, I LOVE the file extraction
capabilities, and it's getting better with each update.  I really just want
Windows PE's for now for research and tool development to analyze said
PE's.   Thanks, guys.  You all rock!

marcos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120420/c087994c/attachment-0002.html>

More information about the Oisf-users mailing list