[Oisf-users] again on filestore

Victor Julien victor at inliniac.net
Sat Apr 21 09:30:09 UTC 2012 

On 04/13/2012 01:18 PM, Travel Factory S.r.l. wrote:
> 
> It drove me crazy that several identical .exe downloaded from the web 
> had different MD5, also "not-human" downloads like the automatic 
> update checks of the software.
> 
> 
> Please have a look at this:
> 
> # cat file.1237.meta
> TIME:              04/06/2012-11:53:29.220774
> SRC IP:            <proxy - ip >
> DST IP:            <client - ip >
> PROTO:             6
> SRC PORT:          8080
> DST PORT:          1697
> HTTP URI: 
>          http://cache.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
> HTTP HOST:         cache.pack.google.com
> HTTP REFERER:      <unknown>
> FILENAME: 
>          /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
> MAGIC:             HTML document text
> STATE:             CLOSED
> SIZE:              333
> root at a01:/var/log/suricata/201204131244/files# cat file.1238.meta
> TIME:              04/06/2012-11:53:29.220774
> SRC IP:            < proxy - ip >
> DST IP:            < client - ip >
> PROTO:             6
> SRC PORT:          8080
> DST PORT:          1697
> HTTP URI: 
>          http://o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com/edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe?cms_redirect=yes
> HTTP HOST: 
>         o-o.preferred.mil01s10.v16.lscache1.c.pack.google.com
> HTTP REFERER:      <unknown>
> FILENAME: 
>          /edgedl/chrome/install/1025.151_1025.142/chrome_updater.exe
> MAGIC:             PE32 executable for MS Windows (GUI) Intel 80386 
> 32-bit
> STATE:             CLOSED
> SIZE:              26259
> 
> 
> 
> So it seems a client asks for an update and gets a 333 bytes HTML 
> answer and then gets the same file from another server and receives 
> 26259 bytes of a PE32 executable.
> 
> The 333 HTML file is actually a 302 http redirect.. why does it get 
> dumped ?
> 
> The second file is actually a PE32 file but it is truncated. Of about 
> 15 logged downloads, only 3 dumps were complete.
> Do you have similar results ?

You could try adding:

content:"200"; http_stat_code;

This should filter out the redirects.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list