[Oisf-users] Query about suri and ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript - 2015708

Cooper F. Nelson cnelson at ucsd.edu
Tue Oct 21 02:52:08 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Probably just means the sig is triggering on a later packet.

I'm pretty sure suri only logs packets that match a signature.  This is
why its recommended to use an indexed full-packet capture system along
with an IDS.

- -Coop

On 10/19/2014 3:24 PM, Russell Fulton wrote:
> 
> subsequent packets contain binary data.
> 
> I conclude that suri is decoding the gzipped file and finding
> offending string then flushing all the packets to the unified file.
> 
> Is this right?  If so with a little bit of work I could extract the
> file from the database.
> 
> What is confusing me is that other captures are all binary and don’t
> start with the headers.  What is going on here?
> 
> Russell
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
> Training now available: http://suricata-ids.org/training/
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJURcpYAAoJEKIFRYQsa8FWLxEH/RVGqgoTyqUZki6XaHdnBZtR
CmgtL6f5eOMpNR/mxhMt3cR4ZAxIhwIrLrPpB26Ef06s8w6PHrsh2sn6VZ/Sodr0
hDYFAeop2PqjnfytcTYfGfx/JqCA9t4nTAHFqU/7FjNX+5xOWgqaLQgvCtsRIzkx
nZKhE8g9fPC4wDLqoEwkbyBy7klH1GUSyvuNCjfPdb8ymlKmypEn1HqY5fWD77oD
Gb3+kF8OI+czsaa/0fAURe02/pwEQImAUIt2/U6r6xXo8k0dyfS5Zo9T69b2F903
QGHbHgwEP6nWNuNvWNM1r+Rm9dXLPrrT0cWaBh9WtaPsQ19MjHkDXZG6muRAiS0=
=Ji4Y
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list