[Oisf-users] suricata and ClamAV

Srinivasreddy R srinivasreddy4390 at gmail.com
Thu Jul 13 05:20:10 UTC 2017 

Hi,

Is the file extracted successfully/completely ?
>
>
yes the file is extracted successfully . i have downloaded the tar file
using wget .suricata able to save the tar file in file-store successfully.
>From the file-store i am able to untar the tar scan19.tar.gz.

tail -f  files-json.log :
---------------------------------------------


{ "id": 1, "timestamp": "07\/12\/2017-02:39:04.768755", "ipver": 4,
"srcip": "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 80,
"dp": 36060, "http_uri": "\/scans\/scan19\/scan19.tar.gz", "http_host": "
old.honeynet.org", "http_referer": "<unknown>", "http_user_agent":
"Wget\/1.15 (linux-gnu)", "filename": "\/scans\/scan19\/scan19.tar.gz",
"magic": "gzip compressed data, from Unix, last modified: Wed Oct  3
13:03:51 2001", "state": "TRUNCATED", "stored": true, "size": 103713 }

I have extracted the tar file and got newdat3.log file which is identified
as a malware .
I tried to transfer newdat3.log file using http .I got the below logs :


{ "id": 14, "timestamp": "07\/12\/2017-21:53:13.241571", "ipver": 4,
"srcip": "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 8000,
"dp": 58091, "http_uri": "\/newdat3.log", "http_host": "xx.xx.xx.xx",
"http_referer": "http:\/\/xx.xx.xx.xx:8000\/", "http_user_agent":
"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko\/20100101
Firefox\/54.0", "filename": "\/newdat3.log", "magic": "tcpdump capture file
(little-endian) - version 2.4 (Ethernet, capture length 1514)", "state":
"TRUNCATED", "stored": true, "size": 103313 }

In the above two cases state of the file is shown as TRUNCATED .
In normal case if i transfer a normal file state is different and able to
see md5 checksum in logs .

logs when i transfer a  normal file with out any threat:
-----------------------------------------------------------------


{ "id": 2, "timestamp": "07\/12\/2017-02:40:49.130589", "ipver": 4,
"srcip": "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 80,
"dp": 35568, "http_uri": "\/browse\/old\/abc\/snapshot\abc.zip",
"http_host": "xyz.org", "http_referer": "<unknown>", "http_user_agent":
"Wget\/1.15 (linux-gnu)", "filename": "abc.zip", "magic": "Zip archive
data, at least v1.0 to extract", "state": "CLOSED", "md5":
"61ccc4f24db49185f67978bde35d2b88", "stored": true, "size": 31333 }

Thanks
srinivas



> >
> > thanks
> > srinivas
> >
> >
> > On Thu, Jul 13, 2017 at 12:00 AM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
> >>
> >> That is a pcap file, not an extracted file.
> >>
> >> -Coop
> >>
> >> On 7/12/2017 11:26 AM, Srinivasreddy R wrote:
> >>
> >> I am able to see some results .
> >> The md5 hash i am searching is  : 38e85119953076c904fd2105dfcb6cdb
> >>
> >>
> >> thanks
> >> srinivas
> >>
> >> On Wed, Jul 12, 2017 at 11:43 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> >> wrote:
> >>>
> >>> What happens if you search for the hash here?
> >>>
> >>> > https://www.virustotal.com/en/#search
> >>>
> >>> -Coop
> >>
> >>
> >> --
> >> Cooper Nelson
> >> Network Security Analyst
> >> UCSD ACT Security Team
> >> cnelson at ucsd.edu x41042
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170713/54b61922/attachment-0002.html>

More information about the Oisf-users mailing list