[Oisf-users] suricata and ClamAV

Srinivasreddy R srinivasreddy4390 at gmail.com
Thu Jul 13 13:44:40 UTC 2017 

Hi Peter ,
Thank you so much .
Now i am able to extract the file successfully .

log:
------------
{ "id": 2, "timestamp": "07\/13\/2017-02:35:16.193406", "ipver": 4,
"srcip": "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 8000,
"dp": 62325, "http_uri": "\/scan19.tar.gz", "http_host": "xx.xx.xx.xx",
"http_referer": "http:\/\/xx.xx.xx.xx:8000\/", "http_user_agent":
"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko\/20100101
Firefox\/54.0", "filename": "\/scan19.tar.gz", "magic": "gzip compressed
data, from Unix, last modified: Wed Oct  3 13:03:51 2001", "state":
"CLOSED", "md5": "11e0be295d138df14111796a7733a5d2", "stored": true,
"size": 1014824 }

thanks
srinivas


On Thu, Jul 13, 2017 at 1:51 PM, Peter Manev <petermanev at gmail.com> wrote:

> On Thu, Jul 13, 2017 at 7:20 AM, Srinivasreddy R
> <srinivasreddy4390 at gmail.com> wrote:
> > Hi,
> >
> >> Is the file extracted successfully/completely ?
> >>
> >
> > yes the file is extracted successfully . i have downloaded the tar file
> > using wget .suricata able to save the tar file in file-store
> successfully.
> > From the file-store i am able to untar the tar scan19.tar.gz.
> >
> > tail -f  files-json.log :
> > ---------------------------------------------
> >
> >
> > { "id": 1, "timestamp": "07\/12\/2017-02:39:04.768755", "ipver": 4,
> "srcip":
> > "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 80, "dp":
> 36060,
> > "http_uri": "\/scans\/scan19\/scan19.tar.gz", "http_host":
> > "old.honeynet.org", "http_referer": "<unknown>", "http_user_agent":
> > "Wget\/1.15 (linux-gnu)", "filename": "\/scans\/scan19\/scan19.tar.gz",
> > "magic": "gzip compressed data, from Unix, last modified: Wed Oct  3
> > 13:03:51 2001", "state": "TRUNCATED", "stored": true, "size": 103713 }
> >
> > I have extracted the tar file and got newdat3.log file which is
> identified
> > as a malware .
> > I tried to transfer newdat3.log file using http .I got the below logs :
> >
> >
> > { "id": 14, "timestamp": "07\/12\/2017-21:53:13.241571", "ipver": 4,
> > "srcip": "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp":
> 8000,
> > "dp": 58091, "http_uri": "\/newdat3.log", "http_host": "xx.xx.xx.xx",
> > "http_referer": "http:\/\/xx.xx.xx.xx:8000\/", "http_user_agent":
> > "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko\/20100101
> > Firefox\/54.0", "filename": "\/newdat3.log", "magic": "tcpdump capture
> file
> > (little-endian) - version 2.4 (Ethernet, capture length 1514)", "state":
> > "TRUNCATED", "stored": true, "size": 103313 }
> >
> > In the above two cases state of the file is shown as TRUNCATED .
>
> Yes - so this is needed to be fixed first so the file is extracted
> completely  -
> http://suricata.readthedocs.io/en/latest/file-extraction/
> file-extraction.html#settings
>
> Also make sure you disable NIC offloading (here is an example of using
> the ethtool)
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_
> Extraction#NIC-offloading
>
> > In normal case if i transfer a normal file state is different and able to
> > see md5 checksum in logs .
> >
> > logs when i transfer a  normal file with out any threat:
> > -----------------------------------------------------------------
> >
> >
> > { "id": 2, "timestamp": "07\/12\/2017-02:40:49.130589", "ipver": 4,
> "srcip":
> > "xx.xx.xx.xx", "dstip": "xx.xx.xx.xx", "protocol": 6, "sp": 80, "dp":
> 35568,
> > "http_uri": "\/browse\/old\/abc\/snapshot\abc.zip", "http_host": "
> xyz.org",
> > "http_referer": "<unknown>", "http_user_agent": "Wget\/1.15 (linux-gnu)",
> > "filename": "abc.zip", "magic": "Zip archive data, at least v1.0 to
> > extract", "state": "CLOSED", "md5": "61ccc4f24db49185f67978bde35d2b88",
> > "stored": true, "size": 31333 }
> >
> > Thanks
> > srinivas
> >
> >
> >>
> >> >
> >> > thanks
> >> > srinivas
> >> >
> >> >
> >> > On Thu, Jul 13, 2017 at 12:00 AM, Cooper F. Nelson <cnelson at ucsd.edu>
> >> > wrote:
> >> >>
> >> >> That is a pcap file, not an extracted file.
> >> >>
> >> >> -Coop
> >> >>
> >> >> On 7/12/2017 11:26 AM, Srinivasreddy R wrote:
> >> >>
> >> >> I am able to see some results .
> >> >> The md5 hash i am searching is  : 38e85119953076c904fd2105dfcb6cdb
> >> >>
> >> >>
> >> >> thanks
> >> >> srinivas
> >> >>
> >> >> On Wed, Jul 12, 2017 at 11:43 PM, Cooper F. Nelson <cnelson at ucsd.edu
> >
> >> >> wrote:
> >> >>>
> >> >>> What happens if you search for the hash here?
> >> >>>
> >> >>> > https://www.virustotal.com/en/#search
> >> >>>
> >> >>> -Coop
> >> >>
> >> >>
> >> >> --
> >> >> Cooper Nelson
> >> >> Network Security Analyst
> >> >> UCSD ACT Security Team
> >> >> cnelson at ucsd.edu x41042
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170713/e17d84c5/attachment-0002.html>

More information about the Oisf-users mailing list