[Oisf-users] suricata and ClamAV
Peter Manev
petermanev at gmail.com
Thu Jul 13 08:21:54 UTC 2017
On Thu, Jul 13, 2017 at 7:20 AM, Srinivasreddy R
<srinivasreddy4390 at gmail.com> wrote:
> Hi,
>
>> Is the file extracted successfully/completely ?
>>
>
> yes the file is extracted successfully . i have downloaded the tar file
> using wget .suricata able to save the tar file in file-store successfully.
> From the file-store i am able to untar the tar scan19.tar.gz.
>
> tail -f files-json.log :
> ---------------------------------------------
>
>
> { "id": 1, "timestamp": "07\/12\/2017-02:39:04.768755", "ipver": 4, "srcip":
> "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 80, "dp": 36060,
> "http_uri": "\/scans\/scan19\/scan19.tar.gz", "http_host":
> "old.honeynet.org", "http_referer": "<unknown>", "http_user_agent":
> "Wget\/1.15 (linux-gnu)", "filename": "\/scans\/scan19\/scan19.tar.gz",
> "magic": "gzip compressed data, from Unix, last modified: Wed Oct 3
> 13:03:51 2001", "state": "TRUNCATED", "stored": true, "size": 103713 }
>
> I have extracted the tar file and got newdat3.log file which is identified
> as a malware .
> I tried to transfer newdat3.log file using http .I got the below logs :
>
>
> { "id": 14, "timestamp": "07\/12\/2017-21:53:13.241571", "ipver": 4,
> "srcip": "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 8000,
> "dp": 58091, "http_uri": "\/newdat3.log", "http_host": "xx.xx.xx.xx",
> "http_referer": "http:\/\/xx.xx.xx.xx:8000\/", "http_user_agent":
> "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko\/20100101
> Firefox\/54.0", "filename": "\/newdat3.log", "magic": "tcpdump capture file
> (little-endian) - version 2.4 (Ethernet, capture length 1514)", "state":
> "TRUNCATED", "stored": true, "size": 103313 }
>
> In the above two cases state of the file is shown as TRUNCATED .
Yes - so this is needed to be fixed first so the file is extracted completely -
http://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html#settings
Also make sure you disable NIC offloading (here is an example of using
the ethtool)
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction#NIC-offloading
> In normal case if i transfer a normal file state is different and able to
> see md5 checksum in logs .
>
> logs when i transfer a normal file with out any threat:
> -----------------------------------------------------------------
>
>
> { "id": 2, "timestamp": "07\/12\/2017-02:40:49.130589", "ipver": 4, "srcip":
> "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 80, "dp": 35568,
> "http_uri": "\/browse\/old\/abc\/snapshot\abc.zip", "http_host": "xyz.org",
> "http_referer": "<unknown>", "http_user_agent": "Wget\/1.15 (linux-gnu)",
> "filename": "abc.zip", "magic": "Zip archive data, at least v1.0 to
> extract", "state": "CLOSED", "md5": "61ccc4f24db49185f67978bde35d2b88",
> "stored": true, "size": 31333 }
>
> Thanks
> srinivas
>
>
>>
>> >
>> > thanks
>> > srinivas
>> >
>> >
>> > On Thu, Jul 13, 2017 at 12:00 AM, Cooper F. Nelson <cnelson at ucsd.edu>
>> > wrote:
>> >>
>> >> That is a pcap file, not an extracted file.
>> >>
>> >> -Coop
>> >>
>> >> On 7/12/2017 11:26 AM, Srinivasreddy R wrote:
>> >>
>> >> I am able to see some results .
>> >> The md5 hash i am searching is : 38e85119953076c904fd2105dfcb6cdb
>> >>
>> >>
>> >> thanks
>> >> srinivas
>> >>
>> >> On Wed, Jul 12, 2017 at 11:43 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>> >> wrote:
>> >>>
>> >>> What happens if you search for the hash here?
>> >>>
>> >>> > https://www.virustotal.com/en/#search
>> >>>
>> >>> -Coop
>> >>
>> >>
>> >> --
>> >> Cooper Nelson
>> >> Network Security Analyst
>> >> UCSD ACT Security Team
>> >> cnelson at ucsd.edu x41042
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list