[Oisf-users] Query about suri and ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript - 2015708
Russell Fulton
r.fulton at auckland.ac.nz
Sun Oct 19 22:24:13 UTC 2014
Hi
I am running suricata and getting hits on this rule. Suri logs a bunch of packets for each ‘alert’:
SID CID Timestamp Signature IP Src IP Dst Proto Length
2 16881814 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881815 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881816 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881817 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881818 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881819 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881820 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881821 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881822 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881823 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881824 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881825 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881826 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881827 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881828 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881829 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881830 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881831 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 1500
2 16881832 2014-10-19 11:32:25 ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript 204.93.143.143 130.216.29.217 6 813
Which appears to be a whole download. First packet contains:
HTTP/1.1 200 OK
Date: Sat, 18 Oct 2014 22:32:25 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-CFHash: "c64b89f1083c053b95b24aef823a08ad"
Last-Modified: Wed, 07 Dec 2011 10:04:16 GMT
X-CF3: H
X-CF2: H
Server: CFS 0623
X-CF1: 11696:fA.syd1:cf:cacheA.syd1-v:H
Content-Encoding: gzip
<binary data>
subsequent packets contain binary data.
I conclude that suri is decoding the gzipped file and finding offending string then flushing all the packets to the unified file.
Is this right? If so with a little bit of work I could extract the file from the database.
What is confusing me is that other captures are all binary and don’t start with the headers. What is going on here?
Russell
More information about the Oisf-users
mailing list