[Oisf-users] Query about suri and ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript - 2015708
Cooper F. Nelson
cnelson at ucsd.edu
Tue Oct 21 02:52:08 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Probably just means the sig is triggering on a later packet.
I'm pretty sure suri only logs packets that match a signature. This is
why its recommended to use an indexed full-packet capture system along
with an IDS.
- -Coop
On 10/19/2014 3:24 PM, Russell Fulton wrote:
>
> subsequent packets contain binary data.
>
> I conclude that suri is decoding the gzipped file and finding
> offending string then flushing all the packets to the unified file.
>
> Is this right? If so with a little bit of work I could extract the
> file from the database.
>
> What is confusing me is that other captures are all binary and don’t
> start with the headers. What is going on here?
>
> Russell
>
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJURcpYAAoJEKIFRYQsa8FWLxEH/RVGqgoTyqUZki6XaHdnBZtR
CmgtL6f5eOMpNR/mxhMt3cR4ZAxIhwIrLrPpB26Ef06s8w6PHrsh2sn6VZ/Sodr0
hDYFAeop2PqjnfytcTYfGfx/JqCA9t4nTAHFqU/7FjNX+5xOWgqaLQgvCtsRIzkx
nZKhE8g9fPC4wDLqoEwkbyBy7klH1GUSyvuNCjfPdb8ymlKmypEn1HqY5fWD77oD
Gb3+kF8OI+czsaa/0fAURe02/pwEQImAUIt2/U6r6xXo8k0dyfS5Zo9T69b2F903
QGHbHgwEP6nWNuNvWNM1r+Rm9dXLPrrT0cWaBh9WtaPsQ19MjHkDXZG6muRAiS0=
=Ji4Y
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list