[Oisf-users] Query about suri and ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript - 2015708

Russell Fulton r.fulton at auckland.ac.nz
Sun Oct 19 22:24:13 UTC 2014


Hi

I am running suricata and getting hits on this rule.  Suri logs a bunch of packets for each ‘alert’:


SID	CID		Timestamp		Signature		IP Src		IP Dst		Proto	Length
2	16881814	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881815	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881816	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881817	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881818	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881819	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881820	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881821	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881822	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881823	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881824	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881825	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881826	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881827	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881828	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881829	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881830	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881831	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	1500	
2	16881832	2014-10-19 11:32:25	ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript		204.93.143.143	130.216.29.217	6	813	

Which appears to be a whole download.  First packet contains:

HTTP/1.1 200 OK
Date: Sat, 18 Oct 2014 22:32:25 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-CFHash: "c64b89f1083c053b95b24aef823a08ad"
Last-Modified: Wed, 07 Dec 2011 10:04:16 GMT
X-CF3: H
X-CF2: H
Server: CFS 0623
X-CF1: 11696:fA.syd1:cf:cacheA.syd1-v:H
Content-Encoding: gzip

<binary data>

subsequent packets contain binary data.

I conclude that suri is decoding the gzipped file and finding offending string then flushing all the packets to the unified file.

Is this right?  If so with a little bit of work I could extract the file from the database.

What is confusing me is that other captures are all binary and don’t start with the headers.  What is going on here?

Russell



More information about the Oisf-users mailing list