Support #1900
closedField http.hostname not being parsed out correctly.
Description
Seeing an issue with Suricata 3.1.1 & 3.1.2 where the HTTP URL, Method, Protocol, etc and all parsed into fields, but the http.hostname field is not parsed. Attached is a sample pcap where this is showing to be repeatable. We are seeing this with the ET Pro ruleset on sig ID 2814364, rev 3. We do see the http information clearly and parsed in other fields like http.http_refer. The packet in the pcap clearly shows the hostname as "Host: ..." which we expect but Suricata isn't parsing out that field. I would assume Suricata has access to the ET Pro rules but if not please let me know. Thanks.
Files
Updated by Andreas Herz over 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
How do you run suricata exactly and how does your setup look like?
Peter couldn't reproduce it, so we need to dig deeper into that.
Updated by Josh Lane over 7 years ago
Andreas Herz wrote:
How do you run suricata exactly and how does your setup look like?
Peter couldn't reproduce it, so we need to dig deeper into that.
We compile from source and run on Linux. Our configuration is fairly out of the box except for the rulesets we use. The configuration options are:
PF_RING enabled
UTF-8 enabled
Unicode enabled
LibHTP enabled
What specifics are you looking for that we can help clarify anything here?
Updated by Jason Ish over 7 years ago
It looks like some of the TCP checksums are bad, have you disabled offloads? See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture for more information. If you haven't you are probably after:
ethtool -K ${IF} gro off
ethtool -K ${IF} lro off
Replacing ${IF} with your interface.
Updated by Peter Manev over 7 years ago
I can reproduce the following - with 3.1.1 and git master(3.2dev (rev 398489e)) -
The hostname (and other fields) is in the http log but not in the alert http supplemental info. They share the same flow_id -
GIT {"timestamp":"2016-08-24T16:55:41.151006+0200","flow_id":2232793332206287,"pcap_cnt":12,"event_type":"http","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest_ port":84,"proto":"TCP","tx_id":0,"http":{"hostname":"dpm.demdex.net","url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:22|data:company_size=xlarge&seniority=non_management&location =us&group=business_professional&industry=finance&industry=finance_investing_banking&industry=healthcare&industry=healthcare_medical_offices&industry=manufacturing&industry=manufacturing _metals","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_content_type":"image\/jpeg","accept" :"image\/webp,image\/*,*\/*;q=0.8","accept_encoding":"gzip, deflate, sdch","accept_language":"en-US,en;q=0.8","cookie":"demdex=12163784947978936081308196091324353359; dpm=12163784947978 936081308196091324353359; DSTJS=\"\"; DPM=288-2371:376496&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&4503 25&62375&376508&62370&376505&62372&376503&376504&62383&611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&37651 3&376516&376515&1141072&1141074&1317289&376537&1141078&1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&623 67&450351&377233&450354&62337&377243&1339348&62740&62751&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&37 7156&377155&62455&62282&62692&62281&62280&62702&62461&610959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845& 1135155&1135153&377102&377103&611038&611034&377096&377095&377113&611013&377322&611012&377317&377106&377107&377112&611018|22-2770:61986&61682&61859&61796&61846&61848&61834&61837&61997&61 871|21-2790:; DST=\"\"; nexac=1; dextp=2600-1-1426179150928|615-1-1429708381373|1329-1-1432153697951|1291-1-1442339565499|1177-1-1443024230501|1957-1-1443024230536|601-1-1444327205520|2 2052-1-1444327205551|6894-1-1446047192708|60-1-1448387501151|640-1-1451581074715|19360-1-1453902309669|618-1-1456864682557|992-1-1459522936997|1760-1-1460394608314|47434-1-1461254120761 |470-1-1462390838142|28645-1-1462390838170|772-1-1466182646546|544-1-1466182646563|445-1-1468443481242|11289-1-1470160121706|782-1-1470160122012|1342-1-1470160122226|20-1-1470160122243| 22-2-1470160122311|11601-1-1471639170445|352-1-1471873732966|843-1-1471873732994|30646-1-1471873733024|2340-1-1471873733039|82530-1-1471873733054|269-1-1471874183650|21-2-1471874183683| 1123-1-1471874183716|1127-1-1471874183731|1121-1-1471874183747|903-1-1471874183764|1175-1-1471874183780|6835-1-1471874183795|13870-1-1471874183810|22053-1-1471874183825|420-1-1471885709 180|358-1-1471885709193|477-1-1471885709233|282-1-1471886535864|375-1-1471886535933|359-1-1471886535950|411-1-1471886535976|416-1-1471886536006|832-1-1471886536082|1083-1-1471886536097| 1084-1-1471886536113|1085-1-1471886536128|1086-1-1471886536144|1087-1-1471886536158|1088-1-1471886536175|19913-1-1471886536204|83349-1-1471886536219|3-1-1471949996372|481-1-147194999637 9|771-1-1471949996392|19566-1-1471949996408|540-1-1471962578365|targus-1472050540100|mm-1472050540111|ex-1472050540119|acx-1472050540125|addthis-1472050540130|rubicon-1472050540142|vid- 1472050540144|tapad-1472050540147; bizo=1","connection":"Keep-Alive","content_length":"308","content_type":"image\/jpeg","date":"Wed, 24 Aug 2016 14:55:41 GMT","set_cookie":"DPM=288-237 1:376496&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&450325&62375&376508&62370&376505&62372&376503&376504& 62383&611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&376513&376516&376515&1141072&1141074&1317289&376537&11 41078&1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&62367&450351&377233&450354&62337&377243&1339348&6274 0&62751&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&377156&377155&62455&62282&62692&62281&62280&62702&6 2461&610959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845&1135155&1135153&377102&377103&611038&611034&37709 6&377095&377113&611013&377322&611012&377317&377106&377107&377112&611018|21-2790:|22-2792:61986&61682&61859&61796&61846&61848&61834&61837&61997&61871;Path=\/;Domain=.demdex.net;Expires=F ri, 24-Aug-2018 14:55:41 GMT","http_refer":"http:\/\/fast.mtvn.demdex.net\/DSD-gz\/mtvn-dest.html?targus=1&targusvalidttl=14400&bizo=1&bizovalidttl=14400&nexac=1&nexacvalidttl=14400&acx =1&acxvalidttl=14400&addthis=1&addthisvalidttl=14400&is_exelate=1&exvalidttl=302400&is_mediamath=1&mmvalidttl=10080&rubicon=1&rubiconvalidttl=14400&tapad=1&tapadvalidttl=20160&vid=1&vid validttl=10080&qtct=1&qtctvalidttl=20160","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":308}} {"timestamp":"2016-08-24T16:55:41.340129+0200","flow_id":2232793332206287,"pcap_cnt":16,"event_type":"alert","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest _port":84,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2814364,"rev":3,"signature":"ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI","categor y":"A Network Trojan was Detected","severity":1},"http":{"url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T117 40=T&T11751=T&T11932=T&T11935=T&T11936=T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T& T18550=T&T18570=T&T18575=T&T18578=T&T18579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522= T&T9525=T&T9527=T&T9528=T&T9529=T&T9532=T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA15 22=T&TA1525=T&TA1527=T&TA1900=T&TA1901=T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T& TK1789=T&TK1791=T&TK1792=T&TK1793=T&TK1794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK325 6=T&TK3261=T&TK3263=T&TK3678=T&TK3680=T&TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&T K3838=T&TK3839=T&TK3842=T&TK3849=T&TK3850=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&T K4601=T&TK4603=T&TK4606=T&TK4607=T&TK4608=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286 =T&TX287=T&TX291=T&TX292=T&TX3057=T&TX4302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z3 3=Y&Z37=F&Z38=F&Z54=Y&Z61=3&Z71=3&","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_method":" GET","protocol":"HTTP\/1.1","length":0},"payload":"R0VUIGh0dHA6Ly9kcG0uZGVtZGV4Lm5ldC9kZW1kb3QuanBnP2V0OmRwbXxkcGlkOjI4OHxkYXRhOlIxMT0yNTAwNCZSNj0yNSZTNjM2ND1IJlQxMDAzNT1UJlQxMDAzNz1UJl QxMDUzND1UJlQxMTA4MD1UJlQxMTc0MD1UJlQxMTc1MT1UJlQxMTkzMj1UJlQxMTkzNT1UJlQxMTkzNj1UJlQxMTkzNz1UJlQxMTk0MT1UJlQxNjE4ND1UJlQxNjE4Nz1UJlQxNjE5MT1UJlQxNjE5NT1UJlQxNjIyMT1UJlQxNjIyNT1UJlQxNjI yNj1UJlQxNjIyNz1UJlQxNjIyOT1UJlQxNjI1MD1UJlQxODU0MT1UJlQxODU0NT1UJlQxODU0Nj1UJlQxODU0OD1UJlQxODU1MD1UJlQxODU3MD1UJlQxODU3NT1UJlQxODU3OD1UJlQxODU3OT1UJlQxOTE1OT1UJlQxOTE2ND1UJlQxOTE2Nj1U JlQyMDQxOT1UJlQyMjE1OT1UJlQyNDYxOT1UJlQ5NDk2PVQmVDk0OTg9VCZUOTQ5OT1UJlQ5NTAyPVQmVDk1MDQ9VCZUOTUwNT1UJlQ5NTA2PVQmVDk1MTY9VCZUOTUxNz1UJlQ5NTE5PVQmVDk1MjI9VCZUOTUyNT1UJlQ5NTI3PVQmVDk1Mjg9V CZUOTUyOT1UJlQ5NTMyPVQmVDk1Mzc9VCZUOTUzOD1UJlQ5NTM5PVQmVDk1NjA9VCZUQTEwMjUzPVQmVEExMDI1ND1UJlRBMTAyNTc9VCZUQTEwMjU4PVQmVEExMDI1OT1UJlRBMTAyNjA9VCZUQTEwMjYzPVQmVEExMDMzMT1UJlRBMTUxOD1UJl RBMTUxOT1UJlRBMTUyMD1UJlRBMTUyMj1UJlRBMTUyNT1UJlRBMTUyNz1UJlRBMTkwMD1UJlRBMTkwMT1UJlRBMjI0OT1UJlRBMjI5MD1UJlRBMjI5MT1UJlRBMjI5Mj1UJlRBMjI5Nj1UJlRBMjU4Mz1UJlRBMzgwMT1UJlRBMzgxNz1UJlRBMzg yMD1UJlRBMzgyMT1UJlRBMzgyMj1UJlRBMzgyMz1UJlRBMzgyND1UJlRBMzgyNT1UJlRLMTc4Nz1UJlRLMTc4OD1UJlRLMTc4OT1UJlRLMTc5MT1UJlRLMTc5Mj1UJlRLMTc5Mz1UJlRLMTc5ND1UJlRLMTc5NT1UJlRLMTc5Nz1UJlRLMTc5OT1U JlRLMTgwMD1UJlRLMTgwMT1UJlRLMTgwND1UJlRLMTgwNT1UJlRLMjc1Nj1UJlRLMjc1OT1UJlRLMjc2MD1UJlRLMjc2MT1UJlRLMjc2Mj1UJlRLMjc2Mz1UJlRLMzI1ND1UJlRLMzI1NT1UJlRLMzI1Nj1UJlRLMzI2MT1UJlRLMzI2Mz1UJlRLM zY3OD1UJlRLMzY4MD1UJlRLMzY4MT1UJlRLMzY4Mz1UJlRLMzc2MD1UJlRLMzc3ND1UJlRLMzc4MT1UJlRLMzc5NT1UJlRLMzgwMD1UJlRLMzgwOT1UJlRLMzgxMT1UJlRLMzgxMj1UJlRLMzgyNj1UJlRLMzgyNz1UJlRLMzgyOD1UJlRLMzgzMD 1UJlRLMzgzMT1UJlRLMzgzNj1UJlRLMzgzOD1UJlRLMzgzOT1UJlRLMzg0Mj1UJlRLMzg0OT1UJlRLMzg1MD1UJlRLMzg1ND1UJlRLMzg1Nj1UJlRLMzg1Nz1UJlRLMzg1OD1UJlRLMzg1OT1UJlRLMzg2MD1UJlRLMzg2Mj1UJlRLMzg3OT1UJlR LNDA3Nz1UJlRLNDE2PVQmVEs0MTc9VCZUSzQxOD1UJlRLNDI1PVQmVEs0NTgyPVQmVEs0NTg4PVQmVEs0NTk1PVQmVEs0NjAxPVQmVEs0NjAzPVQmVEs0NjA2PVQmVEs0NjA3PVQmVEs0NjA4PVQmVEs0NjA5PVQmVEs0NjE3PVQmVFgxMjM2PVQm VFgxMzAxPVQmVFgxNzQzPVQmVFgxOTc9VCZUWDE5OT1UJlRYMjA4Mz1UJlRYMjE3PVQmVFgyMjY9VCZUWDIzMD1UJlRYMjM1PVQmVFgyMzc9VCZUWDI0Nz1UJlRYMjY5OD1UJlRYMjg0Mz1UJlRYMjg2PVQmVFgyODc9VCZUWDI5MT1UJlRYMjkyP VQmVFgzMDU3PVQmVFg0MzAyPVQmVFg1NDk9VCZUWDU1Mj1UJlRYNTU0PVQmVFg1NTU9VCZUWDU1Nj1UJlRYNTU3PVQmVFg1NTk9VCZUWTMwNzk1PVQmVzE3MT1ZJloxPUcmWjEwND1FJloxMjk9WSZaMTMwPVkmWjEzMT01MjEmWjE0Nz1ZJloyNj 1BJloyNz1JJlozPUgmWjMwPVkmWjMzPVkmWjM3PUYmWjM4PUYmWjU0PVkmWjYxPTMmWjcxPTMmIEhUVFAvMS4xDQpIb3N0OiBkcG0uZGVtZGV4Lm5ldA0KUHJveHktQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS8 1LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzUyLjAuMjc0My4xMTYgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiBpbWFnZS93ZWJwLGltYWdlLyosKi8qO3E9MC44 DQpSZWZlcmVyOiBodHRwOi8vbmV4YWMuZGVtZGV4Lm5ldC9uZXhhYy5odG1sP25hX2RhOlIxMT0yNTAwNHxSNj0yNXxTNjM2ND1IfFQxMDAzNT1UfFQxMDAzNz1UfFQxMDUzND1UfFQxMTA4MD1UfFQxMTc0MD1UfFQxMTc1MT1UfFQxMTkzMj1Uf FQxMTkzNT1UfFQxMTkzNj1UfFQxMTkzNz1UfFQxMTk0MT1UfFQxNjE4ND1UfFQxNjE4Nz1UfFQxNjE5MT1UfFQxNjE5NT1UfFQxNjIyMT1UfFQxNjIyNT1UfFQxNjIyNj1UfFQxNjIyNz1UfFQxNjIyOT1UfFQxNjI1MD1UfFQxODU0MT1UfFQxOD U0NT1UfFQxODU0Nj1UfFQxODU0OD1UfFQxODU1MD1UfFQxODU3MD1UfFQxODU3NT1UfFQxODU3OD1UfFQxODU3OT1UfFQxOTE1OT1UfFQxOTE2ND1UfFQxOTE2Nj1UfFQyMDQxOT1UfFQyMjE1OT1UfFQyNDYxOT1UfFQ5NDk2PVR8VDk0OTg9VHx UOTQ5OT1UfFQ5NTAyPVR8VDk1MDQ9VHxUOTUwNT1UfFQ5NTA2PVR8VDk1MTY9VHxUOTUxNz1UfFQ5NTE5PVR8VDk1MjI9VHxUOTUyNT1UfFQ5NTI3PVR8VDk1Mjg9VHxUOTUyOT1UfFQ5NTMyPVR8VDk1Mzc9VHxUOTUzOD1UfFQ5NTM5PVR8VDk1 NjA=","payload_printable":"GET http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T11740=T&T11751=T&T11932=T&T11935=T&T 11936=T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T&T18550=T&T18570=T&T18575=T&T18578 =T&T18579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522=T&T9525=T&T9527=T&T9528=T&T9529=T &T9532=T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA1522=T&TA1525=T&TA1527=T&TA1900=T&T A1901=T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T&TK1789=T&TK1791=T&TK1792=T&TK1793 =T&TK1794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK3256=T&TK3261=T&TK3263=T&TK3678=T&TK 3680=T&TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&TK3838=T&TK3839=T&TK3842=T&TK3849= T&TK3850=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&TK4601=T&TK4603=T&TK4606=T&TK4607= T&TK4608=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286=T&TX287=T&TX291=T&TX292=T&TX3057 =T&TX4302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z33=Y&Z37=F&Z38=F&Z54=Y&Z61=3&Z71=3 & HTTP\/1.1\r\nHost: dpm.demdex.net\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Saf ari\/537.36\r\nAccept: image\/webp,image\/*,*\/*;q=0.8\r\nReferer: http:\/\/nexac.demdex.net\/nexac.html?na_da:R11=25004|R6=25|S6364=H|T10035=T|T10037=T|T10534=T|T11080=T|T11740=T|T1175 1=T|T11932=T|T11935=T|T11936=T|T11937=T|T11941=T|T16184=T|T16187=T|T16191=T|T16195=T|T16221=T|T16225=T|T16226=T|T16227=T|T16229=T|T16250=T|T18541=T|T18545=T|T18546=T|T18548=T|T18550=T|T 18570=T|T18575=T|T18578=T|T18579=T|T19159=T|T19164=T|T19166=T|T20419=T|T22159=T|T24619=T|T9496=T|T9498=T|T9499=T|T9502=T|T9504=T|T9505=T|T9506=T|T9516=T|T9517=T|T9519=T|T9522=T|T9525=T| T9527=T|T9528=T|T9529=T|T9532=T|T9537=T|T9538=T|T9539=T|T9560","stream":1,"packet":"ANCDCYIAACPpV3AiCABFAAU8TKtAAHkGavGhhmX+oYacFNZ6AFT3iXI+KSmcY1AQAQJk4AAAPVR8VEExMDI1Mz1UfFRBMTAyNTQ9V HxUQTEwMjU3PVR8VEExMDI1OD1UfFRBMTAyNTk9VHxUQTEwMjYwPVR8VEExMDI2Mz1UfFRBMTAzMzE9VHxUQTE1MTg9VHxUQTE1MTk9VHxUQTE1MjA9VHxUQTE1MjI9VHxUQTE1MjU9VHxUQTE1Mjc9VHxUQTE5MDA9VHxUQTE5MDE9VHxUQTIyND k9VHxUQTIyOTA9VHxUQTIyOTE9VHxUQTIyOTI9VHxUQTIyOTY9VHxUQTI1ODM9VHxUQTM4MDE9VHxUQTM4MTc9VHxUQTM4MjA9VHxUQTM4MjE9VHxUQTM4MjI9VHxUQTM4MjM9VHxUQTM4MjQ9VHxUQTM4MjU9VHxUSzE3ODc9VHxUSzE3ODg9VHx USzE3ODk9VHxUSzE3OTE9VHxUSzE3OTI9VHxUSzE3OTM9VHxUSzE3OTQ9VHxUSzE3OTU9VHxUSzE3OTc9VHxUSzE3OTk9VHxUSzE4MDA9VHxUSzE4MDE9VHxUSzE4MDQ9VHxUSzE4MDU9VHxUSzI3NTY9VHxUSzI3NTk9VHxUSzI3NjA9VHxUSzI3 NjE9VHxUSzI3NjI9VHxUSzI3NjM9VHxUSzMyNTQ9VHxUSzMyNTU9VHxUSzMyNTY9VHxUSzMyNjE9VHxUSzMyNjM9VHxUSzM2Nzg9VHxUSzM2ODA9VHxUSzM2ODE9VHxUSzM2ODM9VHxUSzM3NjA9VHxUSzM3NzQ9VHxUSzM3ODE9VHxUSzM3OTU9V HxUSzM4MDA9VHxUSzM4MDk9VHxUSzM4MTE9VHxUSzM4MTI9VHxUSzM4MjY9VHxUSzM4Mjc9VHxUSzM4Mjg9VHxUSzM4MzA9VHxUSzM4MzE9VHxUSzM4MzY9VHxUSzM4Mzg9VHxUSzM4Mzk9VHxUSzM4NDI9VHxUSzM4NDk9VHxUSzM4NTA9VHxUSz M4NTQ9VHxUSzM4NTY9VHxUSzM4NTc9VHxUSzM4NTg9VHxUSzM4NTk9VHxUSzM4NjA9VHxUSzM4NjI9VHxUSzM4Nzk9VHxUSzQwNzc9VHxUSzQxNj1UfFRLNDE3PVR8VEs0MTg9VHxUSzQyNT1UfFRLNDU4Mj1UfFRLNDU4OD1UfFRLNDU5NT1UfFR LNDYwMT1UfFRLNDYwMz1UfFRLNDYwNj1UfFRLNDYwNz1UfFRLNDYwOD1UfFRLNDYwOT1UfFRLNDYxNz1UfFRYMTIzNj1UfFRYMTMwMT1UfFRYMTc0Mz1UfFRYMTk3PVR8VFgxOTk9VHxUWDIwODM9VHxUWDIxNz1UfFRYMjI2PVR8VFgyMzA9VHxU WDIzNT1UfFRYMjM3PVR8VFgyNDc9VHxUWDI2OTg9VHxUWDI4NDM9VHxUWDI4Nj1UfFRYMjg3PVR8VFgyOTE9VHxUWDI5Mj1UfFRYMzA1Nz1UfFRYNDMwMj1UfFRYNTQ5PVR8VFg1NTI9VHxUWDU1ND1UfFRYNTU1PVR8VFg1NTY9VHxUWDU1Nz1Uf FRYNTU5PVR8VFkzMDc5NT1UfFcxNzE9WXxaMT1HfFoxMDQ9RXxaMTI5PVl8WjEzMD1ZfFoxMzE9NTIxfFoxNDc9WXxaMjY9QXxaMjc9SXxaMz1IfFozMD1ZfFozMz1ZfFozNz1GfFozOD1GfFo1ND1ZfFo2MT0zfFo3MT0zfA0KQWNjZXB0LUVuY2 9kaW5nOiBnemlwLCBkZWZsYXRlLCBzZGNoDQpBYw==","packet_info":{"linktype":1}} 3.1.1 {"timestamp":"2016-08-24T16:55:41.151006+0200","flow_id":3942636908,"pcap_cnt":12,"event_type":"http","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest_port": 84,"proto":"TCP","tx_id":0,"http":{"hostname":"dpm.demdex.net","url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:22|data:company_size=xlarge&seniority=non_management&location=us&gr oup=business_professional&industry=finance&industry=finance_investing_banking&industry=healthcare&industry=healthcare_medical_offices&industry=manufacturing&industry=manufacturing_metal s","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_content_type":"image\/jpeg","accept":"imag e\/webp,image\/*,*\/*;q=0.8","accept_encoding":"gzip, deflate, sdch","accept_language":"en-US,en;q=0.8","cookie":"demdex=12163784947978936081308196091324353359; dpm=12163784947978936081 308196091324353359; DSTJS=\"\"; DPM=288-2371:376496&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&450325&623 75&376508&62370&376505&62372&376503&376504&62383&611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&376513&3765 16&376515&1141072&1141074&1317289&376537&1141078&1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&62367&450 351&377233&450354&62337&377243&1339348&62740&62751&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&377156&3 77155&62455&62282&62692&62281&62280&62702&62461&610959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845&113515 5&1135153&377102&377103&611038&611034&377096&377095&377113&611013&377322&611012&377317&377106&377107&377112&611018|22-2770:61986&61682&61859&61796&61846&61848&61834&61837&61997&61871|21 -2790:; DST=\"\"; nexac=1; dextp=2600-1-1426179150928|615-1-1429708381373|1329-1-1432153697951|1291-1-1442339565499|1177-1-1443024230501|1957-1-1443024230536|601-1-1444327205520|22052-1 -1444327205551|6894-1-1446047192708|60-1-1448387501151|640-1-1451581074715|19360-1-1453902309669|618-1-1456864682557|992-1-1459522936997|1760-1-1460394608314|47434-1-1461254120761|470-1 -1462390838142|28645-1-1462390838170|772-1-1466182646546|544-1-1466182646563|445-1-1468443481242|11289-1-1470160121706|782-1-1470160122012|1342-1-1470160122226|20-1-1470160122243|22-2-1 470160122311|11601-1-1471639170445|352-1-1471873732966|843-1-1471873732994|30646-1-1471873733024|2340-1-1471873733039|82530-1-1471873733054|269-1-1471874183650|21-2-1471874183683|1123-1 -1471874183716|1127-1-1471874183731|1121-1-1471874183747|903-1-1471874183764|1175-1-1471874183780|6835-1-1471874183795|13870-1-1471874183810|22053-1-1471874183825|420-1-1471885709180|35 8-1-1471885709193|477-1-1471885709233|282-1-1471886535864|375-1-1471886535933|359-1-1471886535950|411-1-1471886535976|416-1-1471886536006|832-1-1471886536082|1083-1-1471886536097|1084-1 -1471886536113|1085-1-1471886536128|1086-1-1471886536144|1087-1-1471886536158|1088-1-1471886536175|19913-1-1471886536204|83349-1-1471886536219|3-1-1471949996372|481-1-1471949996379|771- 1-1471949996392|19566-1-1471949996408|540-1-1471962578365|targus-1472050540100|mm-1472050540111|ex-1472050540119|acx-1472050540125|addthis-1472050540130|rubicon-1472050540142|vid-147205 0540144|tapad-1472050540147; bizo=1","connection":"Keep-Alive","content_length":"308","content_type":"image\/jpeg","date":"Wed, 24 Aug 2016 14:55:41 GMT","set_cookie":"DPM=288-2371:3764 96&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&450325&62375&376508&62370&376505&62372&376503&376504&62383& 611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&376513&376516&376515&1141072&1141074&1317289&376537&1141078& 1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&62367&450351&377233&450354&62337&377243&1339348&62740&6275 1&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&377156&377155&62455&62282&62692&62281&62280&62702&62461&6 10959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845&1135155&1135153&377102&377103&611038&611034&377096&3770 95&377113&611013&377322&611012&377317&377106&377107&377112&611018|21-2790:|22-2792:61986&61682&61859&61796&61846&61848&61834&61837&61997&61871;Path=\/;Domain=.demdex.net;Expires=Fri, 24 -Aug-2018 14:55:41 GMT","http_refer":"http:\/\/fast.mtvn.demdex.net\/DSD-gz\/mtvn-dest.html?targus=1&targusvalidttl=14400&bizo=1&bizovalidttl=14400&nexac=1&nexacvalidttl=14400&acx=1&acx validttl=14400&addthis=1&addthisvalidttl=14400&is_exelate=1&exvalidttl=302400&is_mediamath=1&mmvalidttl=10080&rubicon=1&rubiconvalidttl=14400&tapad=1&tapadvalidttl=20160&vid=1&vidvalidt tl=10080&qtct=1&qtctvalidttl=20160","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":308}} {"timestamp":"2016-08-24T16:55:41.340129+0200","flow_id":3942636908,"pcap_cnt":16,"event_type":"alert","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest_port" :84,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2814364,"rev":3,"signature":"ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI","category":"A Network Trojan was Detected","severity":1},"http":{"url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T11740=T&T 11751=T&T11932=T&T11935=T&T11936=T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T&T18550 =T&T18570=T&T18575=T&T18578=T&T18579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522=T&T952 5=T&T9527=T&T9528=T&T9529=T&T9532=T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA1522=T&T A1525=T&TA1527=T&TA1900=T&TA1901=T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T&TK1789 =T&TK1791=T&TK1792=T&TK1793=T&TK1794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK3256=T&TK 3261=T&TK3263=T&TK3678=T&TK3680=T&TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&TK3838= T&TK3839=T&TK3842=T&TK3849=T&TK3850=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&TK4601= T&TK4603=T&TK4606=T&TK4607=T&TK4608=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286=T&TX2 87=T&TX291=T&TX292=T&TX3057=T&TX4302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z33=Y&Z3 7=F&Z38=F&Z54=Y&Z61=3&Z71=3&","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_method":"GET"," protocol":"HTTP\/1.1","length":0},"payload":"R0VUIGh0dHA6Ly9kcG0uZGVtZGV4Lm5ldC9kZW1kb3QuanBnP2V0OmRwbXxkcGlkOjI4OHxkYXRhOlIxMT0yNTAwNCZSNj0yNSZTNjM2ND1IJlQxMDAzNT1UJlQxMDAzNz1UJlQxMDUz ND1UJlQxMTA4MD1UJlQxMTc0MD1UJlQxMTc1MT1UJlQxMTkzMj1UJlQxMTkzNT1UJlQxMTkzNj1UJlQxMTkzNz1UJlQxMTk0MT1UJlQxNjE4ND1UJlQxNjE4Nz1UJlQxNjE5MT1UJlQxNjE5NT1UJlQxNjIyMT1UJlQxNjIyNT1UJlQxNjIyNj1UJ lQxNjIyNz1UJlQxNjIyOT1UJlQxNjI1MD1UJlQxODU0MT1UJlQxODU0NT1UJlQxODU0Nj1UJlQxODU0OD1UJlQxODU1MD1UJlQxODU3MD1UJlQxODU3NT1UJlQxODU3OD1UJlQxODU3OT1UJlQxOTE1OT1UJlQxOTE2ND1UJlQxOTE2Nj1UJlQyMD QxOT1UJlQyMjE1OT1UJlQyNDYxOT1UJlQ5NDk2PVQmVDk0OTg9VCZUOTQ5OT1UJlQ5NTAyPVQmVDk1MDQ9VCZUOTUwNT1UJlQ5NTA2PVQmVDk1MTY9VCZUOTUxNz1UJlQ5NTE5PVQmVDk1MjI9VCZUOTUyNT1UJlQ5NTI3PVQmVDk1Mjg9VCZUOTU yOT1UJlQ5NTMyPVQmVDk1Mzc9VCZUOTUzOD1UJlQ5NTM5PVQmVDk1NjA9VCZUQTEwMjUzPVQmVEExMDI1ND1UJlRBMTAyNTc9VCZUQTEwMjU4PVQmVEExMDI1OT1UJlRBMTAyNjA9VCZUQTEwMjYzPVQmVEExMDMzMT1UJlRBMTUxOD1UJlRBMTUx OT1UJlRBMTUyMD1UJlRBMTUyMj1UJlRBMTUyNT1UJlRBMTUyNz1UJlRBMTkwMD1UJlRBMTkwMT1UJlRBMjI0OT1UJlRBMjI5MD1UJlRBMjI5MT1UJlRBMjI5Mj1UJlRBMjI5Nj1UJlRBMjU4Mz1UJlRBMzgwMT1UJlRBMzgxNz1UJlRBMzgyMD1UJ lRBMzgyMT1UJlRBMzgyMj1UJlRBMzgyMz1UJlRBMzgyND1UJlRBMzgyNT1UJlRLMTc4Nz1UJlRLMTc4OD1UJlRLMTc4OT1UJlRLMTc5MT1UJlRLMTc5Mj1UJlRLMTc5Mz1UJlRLMTc5ND1UJlRLMTc5NT1UJlRLMTc5Nz1UJlRLMTc5OT1UJlRLMT gwMD1UJlRLMTgwMT1UJlRLMTgwND1UJlRLMTgwNT1UJlRLMjc1Nj1UJlRLMjc1OT1UJlRLMjc2MD1UJlRLMjc2MT1UJlRLMjc2Mj1UJlRLMjc2Mz1UJlRLMzI1ND1UJlRLMzI1NT1UJlRLMzI1Nj1UJlRLMzI2MT1UJlRLMzI2Mz1UJlRLMzY3OD1 UJlRLMzY4MD1UJlRLMzY4MT1UJlRLMzY4Mz1UJlRLMzc2MD1UJlRLMzc3ND1UJlRLMzc4MT1UJlRLMzc5NT1UJlRLMzgwMD1UJlRLMzgwOT1UJlRLMzgxMT1UJlRLMzgxMj1UJlRLMzgyNj1UJlRLMzgyNz1UJlRLMzgyOD1UJlRLMzgzMD1UJlRL MzgzMT1UJlRLMzgzNj1UJlRLMzgzOD1UJlRLMzgzOT1UJlRLMzg0Mj1UJlRLMzg0OT1UJlRLMzg1MD1UJlRLMzg1ND1UJlRLMzg1Nj1UJlRLMzg1Nz1UJlRLMzg1OD1UJlRLMzg1OT1UJlRLMzg2MD1UJlRLMzg2Mj1UJlRLMzg3OT1UJlRLNDA3N z1UJlRLNDE2PVQmVEs0MTc9VCZUSzQxOD1UJlRLNDI1PVQmVEs0NTgyPVQmVEs0NTg4PVQmVEs0NTk1PVQmVEs0NjAxPVQmVEs0NjAzPVQmVEs0NjA2PVQmVEs0NjA3PVQmVEs0NjA4PVQmVEs0NjA5PVQmVEs0NjE3PVQmVFgxMjM2PVQmVFgxMz AxPVQmVFgxNzQzPVQmVFgxOTc9VCZUWDE5OT1UJlRYMjA4Mz1UJlRYMjE3PVQmVFgyMjY9VCZUWDIzMD1UJlRYMjM1PVQmVFgyMzc9VCZUWDI0Nz1UJlRYMjY5OD1UJlRYMjg0Mz1UJlRYMjg2PVQmVFgyODc9VCZUWDI5MT1UJlRYMjkyPVQmVFg zMDU3PVQmVFg0MzAyPVQmVFg1NDk9VCZUWDU1Mj1UJlRYNTU0PVQmVFg1NTU9VCZUWDU1Nj1UJlRYNTU3PVQmVFg1NTk9VCZUWTMwNzk1PVQmVzE3MT1ZJloxPUcmWjEwND1FJloxMjk9WSZaMTMwPVkmWjEzMT01MjEmWjE0Nz1ZJloyNj1BJloy Nz1JJlozPUgmWjMwPVkmWjMzPVkmWjM3PUYmWjM4PUYmWjU0PVkmWjYxPTMmWjcxPTMmIEhUVFAvMS4xDQpIb3N0OiBkcG0uZGVtZGV4Lm5ldA0KUHJveHktQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgK FdpbmRvd3MgTlQgNi4xOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzUyLjAuMjc0My4xMTYgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiBpbWFnZS93ZWJwLGltYWdlLyosKi8qO3E9MC44DQpSZW ZlcmVyOiBodHRwOi8vbmV4YWMuZGVtZGV4Lm5ldC9uZXhhYy5odG1sP25hX2RhOlIxMT0yNTAwNHxSNj0yNXxTNjM2ND1IfFQxMDAzNT1UfFQxMDAzNz1UfFQxMDUzND1UfFQxMTA4MD1UfFQxMTc0MD1UfFQxMTc1MT1UfFQxMTkzMj1UfFQxMTk zNT1UfFQxMTkzNj1UfFQxMTkzNz1UfFQxMTk0MT1UfFQxNjE4ND1UfFQxNjE4Nz1UfFQxNjE5MT1UfFQxNjE5NT1UfFQxNjIyMT1UfFQxNjIyNT1UfFQxNjIyNj1UfFQxNjIyNz1UfFQxNjIyOT1UfFQxNjI1MD1UfFQxODU0MT1UfFQxODU0NT1U fFQxODU0Nj1UfFQxODU0OD1UfFQxODU1MD1UfFQxODU3MD1UfFQxODU3NT1UfFQxODU3OD1UfFQxODU3OT1UfFQxOTE1OT1UfFQxOTE2ND1UfFQxOTE2Nj1UfFQyMDQxOT1UfFQyMjE1OT1UfFQyNDYxOT1UfFQ5NDk2PVR8VDk0OTg9VHxUOTQ5O T1UfFQ5NTAyPVR8VDk1MDQ9VHxUOTUwNT1UfFQ5NTA2PVR8VDk1MTY9VHxUOTUxNz1UfFQ5NTE5PVR8VDk1MjI9VHxUOTUyNT1UfFQ5NTI3PVR8VDk1Mjg9VHxUOTUyOT1UfFQ5NTMyPVR8VDk1Mzc9VHxUOTUzOD1UfFQ5NTM5PVR8VDk1NjA=", "payload_printable":"GET http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T11740=T&T11751=T&T11932=T&T11935=T&T11936= T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T&T18550=T&T18570=T&T18575=T&T18578=T&T18 579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522=T&T9525=T&T9527=T&T9528=T&T9529=T&T9532 =T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA1522=T&TA1525=T&TA1527=T&TA1900=T&TA1901= T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T&TK1789=T&TK1791=T&TK1792=T&TK1793=T&TK1 794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK3256=T&TK3261=T&TK3263=T&TK3678=T&TK3680=T &TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&TK3838=T&TK3839=T&TK3842=T&TK3849=T&TK38 50=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&TK4601=T&TK4603=T&TK4606=T&TK4607=T&TK46 08=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286=T&TX287=T&TX291=T&TX292=T&TX3057=T&TX4 302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z33=Y&Z37=F&Z38=F&Z54=Y&Z61=3&Z71=3& HTTP \/1.1\r\nHost: dpm.demdex.net\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/5 37.36\r\nAccept: image\/webp,image\/*,*\/*;q=0.8\r\nReferer: http:\/\/nexac.demdex.net\/nexac.html?na_da:R11=25004|R6=25|S6364=H|T10035=T|T10037=T|T10534=T|T11080=T|T11740=T|T11751=T|T1 1932=T|T11935=T|T11936=T|T11937=T|T11941=T|T16184=T|T16187=T|T16191=T|T16195=T|T16221=T|T16225=T|T16226=T|T16227=T|T16229=T|T16250=T|T18541=T|T18545=T|T18546=T|T18548=T|T18550=T|T18570= T|T18575=T|T18578=T|T18579=T|T19159=T|T19164=T|T19166=T|T20419=T|T22159=T|T24619=T|T9496=T|T9498=T|T9499=T|T9502=T|T9504=T|T9505=T|T9506=T|T9516=T|T9517=T|T9519=T|T9522=T|T9525=T|T9527= T|T9528=T|T9529=T|T9532=T|T9537=T|T9538=T|T9539=T|T9560","stream":1,"packet":"ANCDCYIAACPpV3AiCABFAAU8TKtAAHkGavGhhmX+oYacFNZ6AFT3iXI+KSmcY1AQAQJk4AAAPVR8VEExMDI1Mz1UfFRBMTAyNTQ9VHxUQTE wMjU3PVR8VEExMDI1OD1UfFRBMTAyNTk9VHxUQTEwMjYwPVR8VEExMDI2Mz1UfFRBMTAzMzE9VHxUQTE1MTg9VHxUQTE1MTk9VHxUQTE1MjA9VHxUQTE1MjI9VHxUQTE1MjU9VHxUQTE1Mjc9VHxUQTE5MDA9VHxUQTE5MDE9VHxUQTIyNDk9VHxU QTIyOTA9VHxUQTIyOTE9VHxUQTIyOTI9VHxUQTIyOTY9VHxUQTI1ODM9VHxUQTM4MDE9VHxUQTM4MTc9VHxUQTM4MjA9VHxUQTM4MjE9VHxUQTM4MjI9VHxUQTM4MjM9VHxUQTM4MjQ9VHxUQTM4MjU9VHxUSzE3ODc9VHxUSzE3ODg9VHxUSzE3O Dk9VHxUSzE3OTE9VHxUSzE3OTI9VHxUSzE3OTM9VHxUSzE3OTQ9VHxUSzE3OTU9VHxUSzE3OTc9VHxUSzE3OTk9VHxUSzE4MDA9VHxUSzE4MDE9VHxUSzE4MDQ9VHxUSzE4MDU9VHxUSzI3NTY9VHxUSzI3NTk9VHxUSzI3NjA9VHxUSzI3NjE9VH xUSzI3NjI9VHxUSzI3NjM9VHxUSzMyNTQ9VHxUSzMyNTU9VHxUSzMyNTY9VHxUSzMyNjE9VHxUSzMyNjM9VHxUSzM2Nzg9VHxUSzM2ODA9VHxUSzM2ODE9VHxUSzM2ODM9VHxUSzM3NjA9VHxUSzM3NzQ9VHxUSzM3ODE9VHxUSzM3OTU9VHxUSzM 4MDA9VHxUSzM4MDk9VHxUSzM4MTE9VHxUSzM4MTI9VHxUSzM4MjY9VHxUSzM4Mjc9VHxUSzM4Mjg9VHxUSzM4MzA9VHxUSzM4MzE9VHxUSzM4MzY9VHxUSzM4Mzg9VHxUSzM4Mzk9VHxUSzM4NDI9VHxUSzM4NDk9VHxUSzM4NTA9VHxUSzM4NTQ9 VHxUSzM4NTY9VHxUSzM4NTc9VHxUSzM4NTg9VHxUSzM4NTk9VHxUSzM4NjA9VHxUSzM4NjI9VHxUSzM4Nzk9VHxUSzQwNzc9VHxUSzQxNj1UfFRLNDE3PVR8VEs0MTg9VHxUSzQyNT1UfFRLNDU4Mj1UfFRLNDU4OD1UfFRLNDU5NT1UfFRLNDYwM T1UfFRLNDYwMz1UfFRLNDYwNj1UfFRLNDYwNz1UfFRLNDYwOD1UfFRLNDYwOT1UfFRLNDYxNz1UfFRYMTIzNj1UfFRYMTMwMT1UfFRYMTc0Mz1UfFRYMTk3PVR8VFgxOTk9VHxUWDIwODM9VHxUWDIxNz1UfFRYMjI2PVR8VFgyMzA9VHxUWDIzNT 1UfFRYMjM3PVR8VFgyNDc9VHxUWDI2OTg9VHxUWDI4NDM9VHxUWDI4Nj1UfFRYMjg3PVR8VFgyOTE9VHxUWDI5Mj1UfFRYMzA1Nz1UfFRYNDMwMj1UfFRYNTQ5PVR8VFg1NTI9VHxUWDU1ND1UfFRYNTU1PVR8VFg1NTY9VHxUWDU1Nz1UfFRYNTU 5PVR8VFkzMDc5NT1UfFcxNzE9WXxaMT1HfFoxMDQ9RXxaMTI5PVl8WjEzMD1ZfFoxMzE9NTIxfFoxNDc9WXxaMjY9QXxaMjc9SXxaMz1IfFozMD1ZfFozMz1ZfFozNz1GfFozOD1GfFo1ND1ZfFo2MT0zfFo3MT0zfA0KQWNjZXB0LUVuY29kaW5n OiBnemlwLCBkZWZsYXRlLCBzZGNoDQpBYw=="}
Updated by Josh Lane over 7 years ago
I've run the commands provided for the interface and retested but still have the same behavior, no content in http.hostname or http.hostname.raw fields. Any input is welcomed.
Updated by Jason Ish over 7 years ago
I probably should have told you to turn off the send offloads as well. After doing something like:
ethtool -K ${IF} tso off
ethtool -K ${IF} gro off
ethtool -K ${IF} lro off
ethtool -K ${IF} gso off
ethtool -K ${IF} rx off
ethtool -K ${IF} tx off
ethtool -K ${IF} sg off
ethtool -K ${IF} rxvlan off
ethtool -K ${IF} txvlan off
Can you please provide another pcap so we can verify the TCP checksum is correct.
Thanks.
Updated by Josh Lane over 7 years ago
I've retested with the ethtool changes provided, restarting Suricata 3.1.2 and the result is no http.hostname content. Can you expand on the TCP checksum problem for the PCAP? Thanks.
Updated by Jason Ish over 7 years ago
So what I did was open your pcap in wireshark, right click on the first packet, then "Protocol Preferences", then "Validate the TCP checksum if possible". This will show a few packets with a bad TCP checksum and I am wondering if offloads are getting in the way. It would be useful to know if taking a new pcap after disabling the offloads resolves the bad TCP checksum.
You can also run Suricata with "-k none" which disables checksum validation, doing this with your pcap I get the hostname in all the expected places.
Updated by Jason Ish over 7 years ago
Sorry, upon further inspection, fixing the offloads should fix the checksums in your pcap, but will not fix the hostname showing up in the event.
The actual matching of that rule on the URI may be done before the header is fully parsed, resulting in an alert being logged before all the http information is parsed. I suspect this occurs for this traffic is the URI is so long, and the request being spread across more than a single tcp packet.
Updated by Josh Lane over 7 years ago
We've disabled the lro and gro offload on the interfaces and will capture new pcap for validation this is fixed. Will keep you up to date.
Updated by Josh Lane over 7 years ago
- File broken.pcap broken.pcap added
- File working.pcap working.pcap added
We have both a working and a non-working pcap after the changes. Any ideas why one works and one is broken? Both were pulled after the interface changes were made for lro and gro off. Thanks.
Updated by Victor Julien about 7 years ago
I don't think this is something we can really address. The URI is inspected as soon as it's available, and we raise the alert also ASAP. We log whatever http fields we have available at that time, which in this case isn't a whole lot. Postponing the alert is not an option.
We recently added support for a per flow 'has alert' flag. Perhaps this could be used to extend the http logger to only log those http flows that raised alerts. It's flow based though, and a single flow can have a lot of http transactions.
Updated by Josh Lane about 7 years ago
What version is this flag added to be used?
Updated by Andreas Herz about 5 years ago
Did you look into this flag as an option?
Updated by Victor Julien almost 5 years ago
- Tracker changed from Bug to Support
- Status changed from New to Closed
- Assignee deleted (
OISF Dev) - Target version deleted (
TBD)
Flag was added in 4.1.