Actions
Support #1900
closedField http.hostname not being parsed out correctly.
Added by Josh Lane over 7 years ago. Updated almost 5 years ago.
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
Seeing an issue with Suricata 3.1.1 & 3.1.2 where the HTTP URL, Method, Protocol, etc and all parsed into fields, but the http.hostname field is not parsed. Attached is a sample pcap where this is showing to be repeatable. We are seeing this with the ET Pro ruleset on sig ID 2814364, rev 3. We do see the http information clearly and parsed in other fields like http.http_refer. The packet in the pcap clearly shows the hostname as "Host: ..." which we expect but Suricata isn't parsing out that field. I would assume Suricata has access to the ET Pro rules but if not please let me know. Thanks.
Files
| Suricata Hostname Parsing Issue.pcap (16.2 KB) Suricata Hostname Parsing Issue.pcap | Example pcap for testing | Josh Lane, 09/26/2016 03:05 PM | |
| broken.pcap (21.7 KB) broken.pcap | Not parsing out correctly | Josh Lane, 10/10/2016 10:57 AM | |
| working.pcap (102 KB) working.pcap | Is parsing out correctly | Josh Lane, 10/10/2016 10:57 AM |
Updated by Andreas Herz over 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
How do you run suricata exactly and how does your setup look like?
Peter couldn't reproduce it, so we need to dig deeper into that.
Updated by Josh Lane over 7 years ago
Andreas Herz wrote:
How do you run suricata exactly and how does your setup look like?
Peter couldn't reproduce it, so we need to dig deeper into that.
We compile from source and run on Linux. Our configuration is fairly out of the box except for the rulesets we use. The configuration options are:
PF_RING enabled
UTF-8 enabled
Unicode enabled
LibHTP enabled
What specifics are you looking for that we can help clarify anything here?
Updated by Jason Ish over 7 years ago
It looks like some of the TCP checksums are bad, have you disabled offloads? See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture for more information. If you haven't you are probably after:
ethtool -K ${IF} gro off
ethtool -K ${IF} lro off
Replacing ${IF} with your interface.
Updated by Peter Manev over 7 years ago
I can reproduce the following - with 3.1.1 and git master(3.2dev (rev 398489e)) -
The hostname (and other fields) is in the http log but not in the alert http supplemental info. They share the same flow_id -
GIT
{"timestamp":"2016-08-24T16:55:41.151006+0200","flow_id":2232793332206287,"pcap_cnt":12,"event_type":"http","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest_
port":84,"proto":"TCP","tx_id":0,"http":{"hostname":"dpm.demdex.net","url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:22|data:company_size=xlarge&seniority=non_management&location
=us&group=business_professional&industry=finance&industry=finance_investing_banking&industry=healthcare&industry=healthcare_medical_offices&industry=manufacturing&industry=manufacturing
_metals","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_content_type":"image\/jpeg","accept"
:"image\/webp,image\/*,*\/*;q=0.8","accept_encoding":"gzip, deflate, sdch","accept_language":"en-US,en;q=0.8","cookie":"demdex=12163784947978936081308196091324353359; dpm=12163784947978
936081308196091324353359; DSTJS=\"\"; DPM=288-2371:376496&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&4503
25&62375&376508&62370&376505&62372&376503&376504&62383&611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&37651
3&376516&376515&1141072&1141074&1317289&376537&1141078&1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&623
67&450351&377233&450354&62337&377243&1339348&62740&62751&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&37
7156&377155&62455&62282&62692&62281&62280&62702&62461&610959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845&
1135155&1135153&377102&377103&611038&611034&377096&377095&377113&611013&377322&611012&377317&377106&377107&377112&611018|22-2770:61986&61682&61859&61796&61846&61848&61834&61837&61997&61
871|21-2790:; DST=\"\"; nexac=1; dextp=2600-1-1426179150928|615-1-1429708381373|1329-1-1432153697951|1291-1-1442339565499|1177-1-1443024230501|1957-1-1443024230536|601-1-1444327205520|2
2052-1-1444327205551|6894-1-1446047192708|60-1-1448387501151|640-1-1451581074715|19360-1-1453902309669|618-1-1456864682557|992-1-1459522936997|1760-1-1460394608314|47434-1-1461254120761
|470-1-1462390838142|28645-1-1462390838170|772-1-1466182646546|544-1-1466182646563|445-1-1468443481242|11289-1-1470160121706|782-1-1470160122012|1342-1-1470160122226|20-1-1470160122243|
22-2-1470160122311|11601-1-1471639170445|352-1-1471873732966|843-1-1471873732994|30646-1-1471873733024|2340-1-1471873733039|82530-1-1471873733054|269-1-1471874183650|21-2-1471874183683|
1123-1-1471874183716|1127-1-1471874183731|1121-1-1471874183747|903-1-1471874183764|1175-1-1471874183780|6835-1-1471874183795|13870-1-1471874183810|22053-1-1471874183825|420-1-1471885709
180|358-1-1471885709193|477-1-1471885709233|282-1-1471886535864|375-1-1471886535933|359-1-1471886535950|411-1-1471886535976|416-1-1471886536006|832-1-1471886536082|1083-1-1471886536097|
1084-1-1471886536113|1085-1-1471886536128|1086-1-1471886536144|1087-1-1471886536158|1088-1-1471886536175|19913-1-1471886536204|83349-1-1471886536219|3-1-1471949996372|481-1-147194999637
9|771-1-1471949996392|19566-1-1471949996408|540-1-1471962578365|targus-1472050540100|mm-1472050540111|ex-1472050540119|acx-1472050540125|addthis-1472050540130|rubicon-1472050540142|vid-
1472050540144|tapad-1472050540147; bizo=1","connection":"Keep-Alive","content_length":"308","content_type":"image\/jpeg","date":"Wed, 24 Aug 2016 14:55:41 GMT","set_cookie":"DPM=288-237
1:376496&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&450325&62375&376508&62370&376505&62372&376503&376504&
62383&611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&376513&376516&376515&1141072&1141074&1317289&376537&11
41078&1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&62367&450351&377233&450354&62337&377243&1339348&6274
0&62751&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&377156&377155&62455&62282&62692&62281&62280&62702&6
2461&610959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845&1135155&1135153&377102&377103&611038&611034&37709
6&377095&377113&611013&377322&611012&377317&377106&377107&377112&611018|21-2790:|22-2792:61986&61682&61859&61796&61846&61848&61834&61837&61997&61871;Path=\/;Domain=.demdex.net;Expires=F
ri, 24-Aug-2018 14:55:41 GMT","http_refer":"http:\/\/fast.mtvn.demdex.net\/DSD-gz\/mtvn-dest.html?targus=1&targusvalidttl=14400&bizo=1&bizovalidttl=14400&nexac=1&nexacvalidttl=14400&acx
=1&acxvalidttl=14400&addthis=1&addthisvalidttl=14400&is_exelate=1&exvalidttl=302400&is_mediamath=1&mmvalidttl=10080&rubicon=1&rubiconvalidttl=14400&tapad=1&tapadvalidttl=20160&vid=1&vid
validttl=10080&qtct=1&qtctvalidttl=20160","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":308}}
{"timestamp":"2016-08-24T16:55:41.340129+0200","flow_id":2232793332206287,"pcap_cnt":16,"event_type":"alert","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest
_port":84,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2814364,"rev":3,"signature":"ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI","categor
y":"A Network Trojan was Detected","severity":1},"http":{"url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T117
40=T&T11751=T&T11932=T&T11935=T&T11936=T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T&
T18550=T&T18570=T&T18575=T&T18578=T&T18579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522=
T&T9525=T&T9527=T&T9528=T&T9529=T&T9532=T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA15
22=T&TA1525=T&TA1527=T&TA1900=T&TA1901=T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T&
TK1789=T&TK1791=T&TK1792=T&TK1793=T&TK1794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK325
6=T&TK3261=T&TK3263=T&TK3678=T&TK3680=T&TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&T
K3838=T&TK3839=T&TK3842=T&TK3849=T&TK3850=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&T
K4601=T&TK4603=T&TK4606=T&TK4607=T&TK4608=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286
=T&TX287=T&TX291=T&TX292=T&TX3057=T&TX4302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z3
3=Y&Z37=F&Z38=F&Z54=Y&Z61=3&Z71=3&","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_method":"
GET","protocol":"HTTP\/1.1","length":0},"payload":"R0VUIGh0dHA6Ly9kcG0uZGVtZGV4Lm5ldC9kZW1kb3QuanBnP2V0OmRwbXxkcGlkOjI4OHxkYXRhOlIxMT0yNTAwNCZSNj0yNSZTNjM2ND1IJlQxMDAzNT1UJlQxMDAzNz1UJl
QxMDUzND1UJlQxMTA4MD1UJlQxMTc0MD1UJlQxMTc1MT1UJlQxMTkzMj1UJlQxMTkzNT1UJlQxMTkzNj1UJlQxMTkzNz1UJlQxMTk0MT1UJlQxNjE4ND1UJlQxNjE4Nz1UJlQxNjE5MT1UJlQxNjE5NT1UJlQxNjIyMT1UJlQxNjIyNT1UJlQxNjI
yNj1UJlQxNjIyNz1UJlQxNjIyOT1UJlQxNjI1MD1UJlQxODU0MT1UJlQxODU0NT1UJlQxODU0Nj1UJlQxODU0OD1UJlQxODU1MD1UJlQxODU3MD1UJlQxODU3NT1UJlQxODU3OD1UJlQxODU3OT1UJlQxOTE1OT1UJlQxOTE2ND1UJlQxOTE2Nj1U
JlQyMDQxOT1UJlQyMjE1OT1UJlQyNDYxOT1UJlQ5NDk2PVQmVDk0OTg9VCZUOTQ5OT1UJlQ5NTAyPVQmVDk1MDQ9VCZUOTUwNT1UJlQ5NTA2PVQmVDk1MTY9VCZUOTUxNz1UJlQ5NTE5PVQmVDk1MjI9VCZUOTUyNT1UJlQ5NTI3PVQmVDk1Mjg9V
CZUOTUyOT1UJlQ5NTMyPVQmVDk1Mzc9VCZUOTUzOD1UJlQ5NTM5PVQmVDk1NjA9VCZUQTEwMjUzPVQmVEExMDI1ND1UJlRBMTAyNTc9VCZUQTEwMjU4PVQmVEExMDI1OT1UJlRBMTAyNjA9VCZUQTEwMjYzPVQmVEExMDMzMT1UJlRBMTUxOD1UJl
RBMTUxOT1UJlRBMTUyMD1UJlRBMTUyMj1UJlRBMTUyNT1UJlRBMTUyNz1UJlRBMTkwMD1UJlRBMTkwMT1UJlRBMjI0OT1UJlRBMjI5MD1UJlRBMjI5MT1UJlRBMjI5Mj1UJlRBMjI5Nj1UJlRBMjU4Mz1UJlRBMzgwMT1UJlRBMzgxNz1UJlRBMzg
yMD1UJlRBMzgyMT1UJlRBMzgyMj1UJlRBMzgyMz1UJlRBMzgyND1UJlRBMzgyNT1UJlRLMTc4Nz1UJlRLMTc4OD1UJlRLMTc4OT1UJlRLMTc5MT1UJlRLMTc5Mj1UJlRLMTc5Mz1UJlRLMTc5ND1UJlRLMTc5NT1UJlRLMTc5Nz1UJlRLMTc5OT1U
JlRLMTgwMD1UJlRLMTgwMT1UJlRLMTgwND1UJlRLMTgwNT1UJlRLMjc1Nj1UJlRLMjc1OT1UJlRLMjc2MD1UJlRLMjc2MT1UJlRLMjc2Mj1UJlRLMjc2Mz1UJlRLMzI1ND1UJlRLMzI1NT1UJlRLMzI1Nj1UJlRLMzI2MT1UJlRLMzI2Mz1UJlRLM
zY3OD1UJlRLMzY4MD1UJlRLMzY4MT1UJlRLMzY4Mz1UJlRLMzc2MD1UJlRLMzc3ND1UJlRLMzc4MT1UJlRLMzc5NT1UJlRLMzgwMD1UJlRLMzgwOT1UJlRLMzgxMT1UJlRLMzgxMj1UJlRLMzgyNj1UJlRLMzgyNz1UJlRLMzgyOD1UJlRLMzgzMD
1UJlRLMzgzMT1UJlRLMzgzNj1UJlRLMzgzOD1UJlRLMzgzOT1UJlRLMzg0Mj1UJlRLMzg0OT1UJlRLMzg1MD1UJlRLMzg1ND1UJlRLMzg1Nj1UJlRLMzg1Nz1UJlRLMzg1OD1UJlRLMzg1OT1UJlRLMzg2MD1UJlRLMzg2Mj1UJlRLMzg3OT1UJlR
LNDA3Nz1UJlRLNDE2PVQmVEs0MTc9VCZUSzQxOD1UJlRLNDI1PVQmVEs0NTgyPVQmVEs0NTg4PVQmVEs0NTk1PVQmVEs0NjAxPVQmVEs0NjAzPVQmVEs0NjA2PVQmVEs0NjA3PVQmVEs0NjA4PVQmVEs0NjA5PVQmVEs0NjE3PVQmVFgxMjM2PVQm
VFgxMzAxPVQmVFgxNzQzPVQmVFgxOTc9VCZUWDE5OT1UJlRYMjA4Mz1UJlRYMjE3PVQmVFgyMjY9VCZUWDIzMD1UJlRYMjM1PVQmVFgyMzc9VCZUWDI0Nz1UJlRYMjY5OD1UJlRYMjg0Mz1UJlRYMjg2PVQmVFgyODc9VCZUWDI5MT1UJlRYMjkyP
VQmVFgzMDU3PVQmVFg0MzAyPVQmVFg1NDk9VCZUWDU1Mj1UJlRYNTU0PVQmVFg1NTU9VCZUWDU1Nj1UJlRYNTU3PVQmVFg1NTk9VCZUWTMwNzk1PVQmVzE3MT1ZJloxPUcmWjEwND1FJloxMjk9WSZaMTMwPVkmWjEzMT01MjEmWjE0Nz1ZJloyNj
1BJloyNz1JJlozPUgmWjMwPVkmWjMzPVkmWjM3PUYmWjM4PUYmWjU0PVkmWjYxPTMmWjcxPTMmIEhUVFAvMS4xDQpIb3N0OiBkcG0uZGVtZGV4Lm5ldA0KUHJveHktQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS8
1LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzUyLjAuMjc0My4xMTYgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiBpbWFnZS93ZWJwLGltYWdlLyosKi8qO3E9MC44
DQpSZWZlcmVyOiBodHRwOi8vbmV4YWMuZGVtZGV4Lm5ldC9uZXhhYy5odG1sP25hX2RhOlIxMT0yNTAwNHxSNj0yNXxTNjM2ND1IfFQxMDAzNT1UfFQxMDAzNz1UfFQxMDUzND1UfFQxMTA4MD1UfFQxMTc0MD1UfFQxMTc1MT1UfFQxMTkzMj1Uf
FQxMTkzNT1UfFQxMTkzNj1UfFQxMTkzNz1UfFQxMTk0MT1UfFQxNjE4ND1UfFQxNjE4Nz1UfFQxNjE5MT1UfFQxNjE5NT1UfFQxNjIyMT1UfFQxNjIyNT1UfFQxNjIyNj1UfFQxNjIyNz1UfFQxNjIyOT1UfFQxNjI1MD1UfFQxODU0MT1UfFQxOD
U0NT1UfFQxODU0Nj1UfFQxODU0OD1UfFQxODU1MD1UfFQxODU3MD1UfFQxODU3NT1UfFQxODU3OD1UfFQxODU3OT1UfFQxOTE1OT1UfFQxOTE2ND1UfFQxOTE2Nj1UfFQyMDQxOT1UfFQyMjE1OT1UfFQyNDYxOT1UfFQ5NDk2PVR8VDk0OTg9VHx
UOTQ5OT1UfFQ5NTAyPVR8VDk1MDQ9VHxUOTUwNT1UfFQ5NTA2PVR8VDk1MTY9VHxUOTUxNz1UfFQ5NTE5PVR8VDk1MjI9VHxUOTUyNT1UfFQ5NTI3PVR8VDk1Mjg9VHxUOTUyOT1UfFQ5NTMyPVR8VDk1Mzc9VHxUOTUzOD1UfFQ5NTM5PVR8VDk1
NjA=","payload_printable":"GET http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T11740=T&T11751=T&T11932=T&T11935=T&T
11936=T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T&T18550=T&T18570=T&T18575=T&T18578
=T&T18579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522=T&T9525=T&T9527=T&T9528=T&T9529=T
&T9532=T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA1522=T&TA1525=T&TA1527=T&TA1900=T&T
A1901=T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T&TK1789=T&TK1791=T&TK1792=T&TK1793
=T&TK1794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK3256=T&TK3261=T&TK3263=T&TK3678=T&TK
3680=T&TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&TK3838=T&TK3839=T&TK3842=T&TK3849=
T&TK3850=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&TK4601=T&TK4603=T&TK4606=T&TK4607=
T&TK4608=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286=T&TX287=T&TX291=T&TX292=T&TX3057
=T&TX4302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z33=Y&Z37=F&Z38=F&Z54=Y&Z61=3&Z71=3
& HTTP\/1.1\r\nHost: dpm.demdex.net\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Saf
ari\/537.36\r\nAccept: image\/webp,image\/*,*\/*;q=0.8\r\nReferer: http:\/\/nexac.demdex.net\/nexac.html?na_da:R11=25004|R6=25|S6364=H|T10035=T|T10037=T|T10534=T|T11080=T|T11740=T|T1175
1=T|T11932=T|T11935=T|T11936=T|T11937=T|T11941=T|T16184=T|T16187=T|T16191=T|T16195=T|T16221=T|T16225=T|T16226=T|T16227=T|T16229=T|T16250=T|T18541=T|T18545=T|T18546=T|T18548=T|T18550=T|T
18570=T|T18575=T|T18578=T|T18579=T|T19159=T|T19164=T|T19166=T|T20419=T|T22159=T|T24619=T|T9496=T|T9498=T|T9499=T|T9502=T|T9504=T|T9505=T|T9506=T|T9516=T|T9517=T|T9519=T|T9522=T|T9525=T|
T9527=T|T9528=T|T9529=T|T9532=T|T9537=T|T9538=T|T9539=T|T9560","stream":1,"packet":"ANCDCYIAACPpV3AiCABFAAU8TKtAAHkGavGhhmX+oYacFNZ6AFT3iXI+KSmcY1AQAQJk4AAAPVR8VEExMDI1Mz1UfFRBMTAyNTQ9V
HxUQTEwMjU3PVR8VEExMDI1OD1UfFRBMTAyNTk9VHxUQTEwMjYwPVR8VEExMDI2Mz1UfFRBMTAzMzE9VHxUQTE1MTg9VHxUQTE1MTk9VHxUQTE1MjA9VHxUQTE1MjI9VHxUQTE1MjU9VHxUQTE1Mjc9VHxUQTE5MDA9VHxUQTE5MDE9VHxUQTIyND
k9VHxUQTIyOTA9VHxUQTIyOTE9VHxUQTIyOTI9VHxUQTIyOTY9VHxUQTI1ODM9VHxUQTM4MDE9VHxUQTM4MTc9VHxUQTM4MjA9VHxUQTM4MjE9VHxUQTM4MjI9VHxUQTM4MjM9VHxUQTM4MjQ9VHxUQTM4MjU9VHxUSzE3ODc9VHxUSzE3ODg9VHx
USzE3ODk9VHxUSzE3OTE9VHxUSzE3OTI9VHxUSzE3OTM9VHxUSzE3OTQ9VHxUSzE3OTU9VHxUSzE3OTc9VHxUSzE3OTk9VHxUSzE4MDA9VHxUSzE4MDE9VHxUSzE4MDQ9VHxUSzE4MDU9VHxUSzI3NTY9VHxUSzI3NTk9VHxUSzI3NjA9VHxUSzI3
NjE9VHxUSzI3NjI9VHxUSzI3NjM9VHxUSzMyNTQ9VHxUSzMyNTU9VHxUSzMyNTY9VHxUSzMyNjE9VHxUSzMyNjM9VHxUSzM2Nzg9VHxUSzM2ODA9VHxUSzM2ODE9VHxUSzM2ODM9VHxUSzM3NjA9VHxUSzM3NzQ9VHxUSzM3ODE9VHxUSzM3OTU9V
HxUSzM4MDA9VHxUSzM4MDk9VHxUSzM4MTE9VHxUSzM4MTI9VHxUSzM4MjY9VHxUSzM4Mjc9VHxUSzM4Mjg9VHxUSzM4MzA9VHxUSzM4MzE9VHxUSzM4MzY9VHxUSzM4Mzg9VHxUSzM4Mzk9VHxUSzM4NDI9VHxUSzM4NDk9VHxUSzM4NTA9VHxUSz
M4NTQ9VHxUSzM4NTY9VHxUSzM4NTc9VHxUSzM4NTg9VHxUSzM4NTk9VHxUSzM4NjA9VHxUSzM4NjI9VHxUSzM4Nzk9VHxUSzQwNzc9VHxUSzQxNj1UfFRLNDE3PVR8VEs0MTg9VHxUSzQyNT1UfFRLNDU4Mj1UfFRLNDU4OD1UfFRLNDU5NT1UfFR
LNDYwMT1UfFRLNDYwMz1UfFRLNDYwNj1UfFRLNDYwNz1UfFRLNDYwOD1UfFRLNDYwOT1UfFRLNDYxNz1UfFRYMTIzNj1UfFRYMTMwMT1UfFRYMTc0Mz1UfFRYMTk3PVR8VFgxOTk9VHxUWDIwODM9VHxUWDIxNz1UfFRYMjI2PVR8VFgyMzA9VHxU
WDIzNT1UfFRYMjM3PVR8VFgyNDc9VHxUWDI2OTg9VHxUWDI4NDM9VHxUWDI4Nj1UfFRYMjg3PVR8VFgyOTE9VHxUWDI5Mj1UfFRYMzA1Nz1UfFRYNDMwMj1UfFRYNTQ5PVR8VFg1NTI9VHxUWDU1ND1UfFRYNTU1PVR8VFg1NTY9VHxUWDU1Nz1Uf
FRYNTU5PVR8VFkzMDc5NT1UfFcxNzE9WXxaMT1HfFoxMDQ9RXxaMTI5PVl8WjEzMD1ZfFoxMzE9NTIxfFoxNDc9WXxaMjY9QXxaMjc9SXxaMz1IfFozMD1ZfFozMz1ZfFozNz1GfFozOD1GfFo1ND1ZfFo2MT0zfFo3MT0zfA0KQWNjZXB0LUVuY2
9kaW5nOiBnemlwLCBkZWZsYXRlLCBzZGNoDQpBYw==","packet_info":{"linktype":1}}
3.1.1
{"timestamp":"2016-08-24T16:55:41.151006+0200","flow_id":3942636908,"pcap_cnt":12,"event_type":"http","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest_port":
84,"proto":"TCP","tx_id":0,"http":{"hostname":"dpm.demdex.net","url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:22|data:company_size=xlarge&seniority=non_management&location=us&gr
oup=business_professional&industry=finance&industry=finance_investing_banking&industry=healthcare&industry=healthcare_medical_offices&industry=manufacturing&industry=manufacturing_metal
s","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_content_type":"image\/jpeg","accept":"imag
e\/webp,image\/*,*\/*;q=0.8","accept_encoding":"gzip, deflate, sdch","accept_language":"en-US,en;q=0.8","cookie":"demdex=12163784947978936081308196091324353359; dpm=12163784947978936081
308196091324353359; DSTJS=\"\"; DPM=288-2371:376496&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&450325&623
75&376508&62370&376505&62372&376503&376504&62383&611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&376513&3765
16&376515&1141072&1141074&1317289&376537&1141078&1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&62367&450
351&377233&450354&62337&377243&1339348&62740&62751&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&377156&3
77155&62455&62282&62692&62281&62280&62702&62461&610959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845&113515
5&1135153&377102&377103&611038&611034&377096&377095&377113&611013&377322&611012&377317&377106&377107&377112&611018|22-2770:61986&61682&61859&61796&61846&61848&61834&61837&61997&61871|21
-2790:; DST=\"\"; nexac=1; dextp=2600-1-1426179150928|615-1-1429708381373|1329-1-1432153697951|1291-1-1442339565499|1177-1-1443024230501|1957-1-1443024230536|601-1-1444327205520|22052-1
-1444327205551|6894-1-1446047192708|60-1-1448387501151|640-1-1451581074715|19360-1-1453902309669|618-1-1456864682557|992-1-1459522936997|1760-1-1460394608314|47434-1-1461254120761|470-1
-1462390838142|28645-1-1462390838170|772-1-1466182646546|544-1-1466182646563|445-1-1468443481242|11289-1-1470160121706|782-1-1470160122012|1342-1-1470160122226|20-1-1470160122243|22-2-1
470160122311|11601-1-1471639170445|352-1-1471873732966|843-1-1471873732994|30646-1-1471873733024|2340-1-1471873733039|82530-1-1471873733054|269-1-1471874183650|21-2-1471874183683|1123-1
-1471874183716|1127-1-1471874183731|1121-1-1471874183747|903-1-1471874183764|1175-1-1471874183780|6835-1-1471874183795|13870-1-1471874183810|22053-1-1471874183825|420-1-1471885709180|35
8-1-1471885709193|477-1-1471885709233|282-1-1471886535864|375-1-1471886535933|359-1-1471886535950|411-1-1471886535976|416-1-1471886536006|832-1-1471886536082|1083-1-1471886536097|1084-1
-1471886536113|1085-1-1471886536128|1086-1-1471886536144|1087-1-1471886536158|1088-1-1471886536175|19913-1-1471886536204|83349-1-1471886536219|3-1-1471949996372|481-1-1471949996379|771-
1-1471949996392|19566-1-1471949996408|540-1-1471962578365|targus-1472050540100|mm-1472050540111|ex-1472050540119|acx-1472050540125|addthis-1472050540130|rubicon-1472050540142|vid-147205
0540144|tapad-1472050540147; bizo=1","connection":"Keep-Alive","content_length":"308","content_type":"image\/jpeg","date":"Wed, 24 Aug 2016 14:55:41 GMT","set_cookie":"DPM=288-2371:3764
96&377254&376493&376492&376491&1849017&377249&611053&1849019&1849014&450319&377024&1849016&376759&1849015&611048&376512&62374&450325&62375&376508&62370&376505&62372&376503&376504&62383&
611063&376499&611064&376498&376526&376528&376527&1849053&376522&376521&1849050&1308057&1849047&376520&377054&1141068&1141069&376513&376516&376515&1141072&1141074&1317289&376537&1141078&
1141079&376533&1317282&376534&376536&376532&62410&62322&62325&62330&377208&62313&62675&62354&62353&450341&450343&450346&450345&62367&450351&377233&450354&62337&377243&1339348&62740&6275
1&62726&62483&1339338&62734&1162254&62729&62711&377168&377167&377164&62297&62298&377158&62719&377159&62713&1265072&62444&610975&377156&377155&62455&62282&62692&62281&62280&62702&62461&6
10959&610960&62460&376562&1135143&1135142&1849057&67220&1135152&377058&1135150&1135147&611004&1135159&376546&610982&377081&396845&1135155&1135153&377102&377103&611038&611034&377096&3770
95&377113&611013&377322&611012&377317&377106&377107&377112&611018|21-2790:|22-2792:61986&61682&61859&61796&61846&61848&61834&61837&61997&61871;Path=\/;Domain=.demdex.net;Expires=Fri, 24
-Aug-2018 14:55:41 GMT","http_refer":"http:\/\/fast.mtvn.demdex.net\/DSD-gz\/mtvn-dest.html?targus=1&targusvalidttl=14400&bizo=1&bizovalidttl=14400&nexac=1&nexacvalidttl=14400&acx=1&acx
validttl=14400&addthis=1&addthisvalidttl=14400&is_exelate=1&exvalidttl=302400&is_mediamath=1&mmvalidttl=10080&rubicon=1&rubiconvalidttl=14400&tapad=1&tapadvalidttl=20160&vid=1&vidvalidt
tl=10080&qtct=1&qtctvalidttl=20160","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":308}}
{"timestamp":"2016-08-24T16:55:41.340129+0200","flow_id":3942636908,"pcap_cnt":16,"event_type":"alert","src_ip":"161.134.101.254","src_port":54906,"dest_ip":"161.134.156.20","dest_port"
:84,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2814364,"rev":3,"signature":"ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI","category":"A
Network Trojan was Detected","severity":1},"http":{"url":"http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T11740=T&T
11751=T&T11932=T&T11935=T&T11936=T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T&T18550
=T&T18570=T&T18575=T&T18578=T&T18579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522=T&T952
5=T&T9527=T&T9528=T&T9529=T&T9532=T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA1522=T&T
A1525=T&TA1527=T&TA1900=T&TA1901=T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T&TK1789
=T&TK1791=T&TK1792=T&TK1793=T&TK1794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK3256=T&TK
3261=T&TK3263=T&TK3678=T&TK3680=T&TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&TK3838=
T&TK3839=T&TK3842=T&TK3849=T&TK3850=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&TK4601=
T&TK4603=T&TK4606=T&TK4607=T&TK4608=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286=T&TX2
87=T&TX291=T&TX292=T&TX3057=T&TX4302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z33=Y&Z3
7=F&Z38=F&Z54=Y&Z61=3&Z71=3&","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36","http_method":"GET","
protocol":"HTTP\/1.1","length":0},"payload":"R0VUIGh0dHA6Ly9kcG0uZGVtZGV4Lm5ldC9kZW1kb3QuanBnP2V0OmRwbXxkcGlkOjI4OHxkYXRhOlIxMT0yNTAwNCZSNj0yNSZTNjM2ND1IJlQxMDAzNT1UJlQxMDAzNz1UJlQxMDUz
ND1UJlQxMTA4MD1UJlQxMTc0MD1UJlQxMTc1MT1UJlQxMTkzMj1UJlQxMTkzNT1UJlQxMTkzNj1UJlQxMTkzNz1UJlQxMTk0MT1UJlQxNjE4ND1UJlQxNjE4Nz1UJlQxNjE5MT1UJlQxNjE5NT1UJlQxNjIyMT1UJlQxNjIyNT1UJlQxNjIyNj1UJ
lQxNjIyNz1UJlQxNjIyOT1UJlQxNjI1MD1UJlQxODU0MT1UJlQxODU0NT1UJlQxODU0Nj1UJlQxODU0OD1UJlQxODU1MD1UJlQxODU3MD1UJlQxODU3NT1UJlQxODU3OD1UJlQxODU3OT1UJlQxOTE1OT1UJlQxOTE2ND1UJlQxOTE2Nj1UJlQyMD
QxOT1UJlQyMjE1OT1UJlQyNDYxOT1UJlQ5NDk2PVQmVDk0OTg9VCZUOTQ5OT1UJlQ5NTAyPVQmVDk1MDQ9VCZUOTUwNT1UJlQ5NTA2PVQmVDk1MTY9VCZUOTUxNz1UJlQ5NTE5PVQmVDk1MjI9VCZUOTUyNT1UJlQ5NTI3PVQmVDk1Mjg9VCZUOTU
yOT1UJlQ5NTMyPVQmVDk1Mzc9VCZUOTUzOD1UJlQ5NTM5PVQmVDk1NjA9VCZUQTEwMjUzPVQmVEExMDI1ND1UJlRBMTAyNTc9VCZUQTEwMjU4PVQmVEExMDI1OT1UJlRBMTAyNjA9VCZUQTEwMjYzPVQmVEExMDMzMT1UJlRBMTUxOD1UJlRBMTUx
OT1UJlRBMTUyMD1UJlRBMTUyMj1UJlRBMTUyNT1UJlRBMTUyNz1UJlRBMTkwMD1UJlRBMTkwMT1UJlRBMjI0OT1UJlRBMjI5MD1UJlRBMjI5MT1UJlRBMjI5Mj1UJlRBMjI5Nj1UJlRBMjU4Mz1UJlRBMzgwMT1UJlRBMzgxNz1UJlRBMzgyMD1UJ
lRBMzgyMT1UJlRBMzgyMj1UJlRBMzgyMz1UJlRBMzgyND1UJlRBMzgyNT1UJlRLMTc4Nz1UJlRLMTc4OD1UJlRLMTc4OT1UJlRLMTc5MT1UJlRLMTc5Mj1UJlRLMTc5Mz1UJlRLMTc5ND1UJlRLMTc5NT1UJlRLMTc5Nz1UJlRLMTc5OT1UJlRLMT
gwMD1UJlRLMTgwMT1UJlRLMTgwND1UJlRLMTgwNT1UJlRLMjc1Nj1UJlRLMjc1OT1UJlRLMjc2MD1UJlRLMjc2MT1UJlRLMjc2Mj1UJlRLMjc2Mz1UJlRLMzI1ND1UJlRLMzI1NT1UJlRLMzI1Nj1UJlRLMzI2MT1UJlRLMzI2Mz1UJlRLMzY3OD1
UJlRLMzY4MD1UJlRLMzY4MT1UJlRLMzY4Mz1UJlRLMzc2MD1UJlRLMzc3ND1UJlRLMzc4MT1UJlRLMzc5NT1UJlRLMzgwMD1UJlRLMzgwOT1UJlRLMzgxMT1UJlRLMzgxMj1UJlRLMzgyNj1UJlRLMzgyNz1UJlRLMzgyOD1UJlRLMzgzMD1UJlRL
MzgzMT1UJlRLMzgzNj1UJlRLMzgzOD1UJlRLMzgzOT1UJlRLMzg0Mj1UJlRLMzg0OT1UJlRLMzg1MD1UJlRLMzg1ND1UJlRLMzg1Nj1UJlRLMzg1Nz1UJlRLMzg1OD1UJlRLMzg1OT1UJlRLMzg2MD1UJlRLMzg2Mj1UJlRLMzg3OT1UJlRLNDA3N
z1UJlRLNDE2PVQmVEs0MTc9VCZUSzQxOD1UJlRLNDI1PVQmVEs0NTgyPVQmVEs0NTg4PVQmVEs0NTk1PVQmVEs0NjAxPVQmVEs0NjAzPVQmVEs0NjA2PVQmVEs0NjA3PVQmVEs0NjA4PVQmVEs0NjA5PVQmVEs0NjE3PVQmVFgxMjM2PVQmVFgxMz
AxPVQmVFgxNzQzPVQmVFgxOTc9VCZUWDE5OT1UJlRYMjA4Mz1UJlRYMjE3PVQmVFgyMjY9VCZUWDIzMD1UJlRYMjM1PVQmVFgyMzc9VCZUWDI0Nz1UJlRYMjY5OD1UJlRYMjg0Mz1UJlRYMjg2PVQmVFgyODc9VCZUWDI5MT1UJlRYMjkyPVQmVFg
zMDU3PVQmVFg0MzAyPVQmVFg1NDk9VCZUWDU1Mj1UJlRYNTU0PVQmVFg1NTU9VCZUWDU1Nj1UJlRYNTU3PVQmVFg1NTk9VCZUWTMwNzk1PVQmVzE3MT1ZJloxPUcmWjEwND1FJloxMjk9WSZaMTMwPVkmWjEzMT01MjEmWjE0Nz1ZJloyNj1BJloy
Nz1JJlozPUgmWjMwPVkmWjMzPVkmWjM3PUYmWjM4PUYmWjU0PVkmWjYxPTMmWjcxPTMmIEhUVFAvMS4xDQpIb3N0OiBkcG0uZGVtZGV4Lm5ldA0KUHJveHktQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgK
FdpbmRvd3MgTlQgNi4xOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzUyLjAuMjc0My4xMTYgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiBpbWFnZS93ZWJwLGltYWdlLyosKi8qO3E9MC44DQpSZW
ZlcmVyOiBodHRwOi8vbmV4YWMuZGVtZGV4Lm5ldC9uZXhhYy5odG1sP25hX2RhOlIxMT0yNTAwNHxSNj0yNXxTNjM2ND1IfFQxMDAzNT1UfFQxMDAzNz1UfFQxMDUzND1UfFQxMTA4MD1UfFQxMTc0MD1UfFQxMTc1MT1UfFQxMTkzMj1UfFQxMTk
zNT1UfFQxMTkzNj1UfFQxMTkzNz1UfFQxMTk0MT1UfFQxNjE4ND1UfFQxNjE4Nz1UfFQxNjE5MT1UfFQxNjE5NT1UfFQxNjIyMT1UfFQxNjIyNT1UfFQxNjIyNj1UfFQxNjIyNz1UfFQxNjIyOT1UfFQxNjI1MD1UfFQxODU0MT1UfFQxODU0NT1U
fFQxODU0Nj1UfFQxODU0OD1UfFQxODU1MD1UfFQxODU3MD1UfFQxODU3NT1UfFQxODU3OD1UfFQxODU3OT1UfFQxOTE1OT1UfFQxOTE2ND1UfFQxOTE2Nj1UfFQyMDQxOT1UfFQyMjE1OT1UfFQyNDYxOT1UfFQ5NDk2PVR8VDk0OTg9VHxUOTQ5O
T1UfFQ5NTAyPVR8VDk1MDQ9VHxUOTUwNT1UfFQ5NTA2PVR8VDk1MTY9VHxUOTUxNz1UfFQ5NTE5PVR8VDk1MjI9VHxUOTUyNT1UfFQ5NTI3PVR8VDk1Mjg9VHxUOTUyOT1UfFQ5NTMyPVR8VDk1Mzc9VHxUOTUzOD1UfFQ5NTM5PVR8VDk1NjA=",
"payload_printable":"GET http:\/\/dpm.demdex.net\/demdot.jpg?et:dpm|dpid:288|data:R11=25004&R6=25&S6364=H&T10035=T&T10037=T&T10534=T&T11080=T&T11740=T&T11751=T&T11932=T&T11935=T&T11936=
T&T11937=T&T11941=T&T16184=T&T16187=T&T16191=T&T16195=T&T16221=T&T16225=T&T16226=T&T16227=T&T16229=T&T16250=T&T18541=T&T18545=T&T18546=T&T18548=T&T18550=T&T18570=T&T18575=T&T18578=T&T18
579=T&T19159=T&T19164=T&T19166=T&T20419=T&T22159=T&T24619=T&T9496=T&T9498=T&T9499=T&T9502=T&T9504=T&T9505=T&T9506=T&T9516=T&T9517=T&T9519=T&T9522=T&T9525=T&T9527=T&T9528=T&T9529=T&T9532
=T&T9537=T&T9538=T&T9539=T&T9560=T&TA10253=T&TA10254=T&TA10257=T&TA10258=T&TA10259=T&TA10260=T&TA10263=T&TA10331=T&TA1518=T&TA1519=T&TA1520=T&TA1522=T&TA1525=T&TA1527=T&TA1900=T&TA1901=
T&TA2249=T&TA2290=T&TA2291=T&TA2292=T&TA2296=T&TA2583=T&TA3801=T&TA3817=T&TA3820=T&TA3821=T&TA3822=T&TA3823=T&TA3824=T&TA3825=T&TK1787=T&TK1788=T&TK1789=T&TK1791=T&TK1792=T&TK1793=T&TK1
794=T&TK1795=T&TK1797=T&TK1799=T&TK1800=T&TK1801=T&TK1804=T&TK1805=T&TK2756=T&TK2759=T&TK2760=T&TK2761=T&TK2762=T&TK2763=T&TK3254=T&TK3255=T&TK3256=T&TK3261=T&TK3263=T&TK3678=T&TK3680=T
&TK3681=T&TK3683=T&TK3760=T&TK3774=T&TK3781=T&TK3795=T&TK3800=T&TK3809=T&TK3811=T&TK3812=T&TK3826=T&TK3827=T&TK3828=T&TK3830=T&TK3831=T&TK3836=T&TK3838=T&TK3839=T&TK3842=T&TK3849=T&TK38
50=T&TK3854=T&TK3856=T&TK3857=T&TK3858=T&TK3859=T&TK3860=T&TK3862=T&TK3879=T&TK4077=T&TK416=T&TK417=T&TK418=T&TK425=T&TK4582=T&TK4588=T&TK4595=T&TK4601=T&TK4603=T&TK4606=T&TK4607=T&TK46
08=T&TK4609=T&TK4617=T&TX1236=T&TX1301=T&TX1743=T&TX197=T&TX199=T&TX2083=T&TX217=T&TX226=T&TX230=T&TX235=T&TX237=T&TX247=T&TX2698=T&TX2843=T&TX286=T&TX287=T&TX291=T&TX292=T&TX3057=T&TX4
302=T&TX549=T&TX552=T&TX554=T&TX555=T&TX556=T&TX557=T&TX559=T&TY30795=T&W171=Y&Z1=G&Z104=E&Z129=Y&Z130=Y&Z131=521&Z147=Y&Z26=A&Z27=I&Z3=H&Z30=Y&Z33=Y&Z37=F&Z38=F&Z54=Y&Z61=3&Z71=3& HTTP
\/1.1\r\nHost: dpm.demdex.net\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/5
37.36\r\nAccept: image\/webp,image\/*,*\/*;q=0.8\r\nReferer: http:\/\/nexac.demdex.net\/nexac.html?na_da:R11=25004|R6=25|S6364=H|T10035=T|T10037=T|T10534=T|T11080=T|T11740=T|T11751=T|T1
1932=T|T11935=T|T11936=T|T11937=T|T11941=T|T16184=T|T16187=T|T16191=T|T16195=T|T16221=T|T16225=T|T16226=T|T16227=T|T16229=T|T16250=T|T18541=T|T18545=T|T18546=T|T18548=T|T18550=T|T18570=
T|T18575=T|T18578=T|T18579=T|T19159=T|T19164=T|T19166=T|T20419=T|T22159=T|T24619=T|T9496=T|T9498=T|T9499=T|T9502=T|T9504=T|T9505=T|T9506=T|T9516=T|T9517=T|T9519=T|T9522=T|T9525=T|T9527=
T|T9528=T|T9529=T|T9532=T|T9537=T|T9538=T|T9539=T|T9560","stream":1,"packet":"ANCDCYIAACPpV3AiCABFAAU8TKtAAHkGavGhhmX+oYacFNZ6AFT3iXI+KSmcY1AQAQJk4AAAPVR8VEExMDI1Mz1UfFRBMTAyNTQ9VHxUQTE
wMjU3PVR8VEExMDI1OD1UfFRBMTAyNTk9VHxUQTEwMjYwPVR8VEExMDI2Mz1UfFRBMTAzMzE9VHxUQTE1MTg9VHxUQTE1MTk9VHxUQTE1MjA9VHxUQTE1MjI9VHxUQTE1MjU9VHxUQTE1Mjc9VHxUQTE5MDA9VHxUQTE5MDE9VHxUQTIyNDk9VHxU
QTIyOTA9VHxUQTIyOTE9VHxUQTIyOTI9VHxUQTIyOTY9VHxUQTI1ODM9VHxUQTM4MDE9VHxUQTM4MTc9VHxUQTM4MjA9VHxUQTM4MjE9VHxUQTM4MjI9VHxUQTM4MjM9VHxUQTM4MjQ9VHxUQTM4MjU9VHxUSzE3ODc9VHxUSzE3ODg9VHxUSzE3O
Dk9VHxUSzE3OTE9VHxUSzE3OTI9VHxUSzE3OTM9VHxUSzE3OTQ9VHxUSzE3OTU9VHxUSzE3OTc9VHxUSzE3OTk9VHxUSzE4MDA9VHxUSzE4MDE9VHxUSzE4MDQ9VHxUSzE4MDU9VHxUSzI3NTY9VHxUSzI3NTk9VHxUSzI3NjA9VHxUSzI3NjE9VH
xUSzI3NjI9VHxUSzI3NjM9VHxUSzMyNTQ9VHxUSzMyNTU9VHxUSzMyNTY9VHxUSzMyNjE9VHxUSzMyNjM9VHxUSzM2Nzg9VHxUSzM2ODA9VHxUSzM2ODE9VHxUSzM2ODM9VHxUSzM3NjA9VHxUSzM3NzQ9VHxUSzM3ODE9VHxUSzM3OTU9VHxUSzM
4MDA9VHxUSzM4MDk9VHxUSzM4MTE9VHxUSzM4MTI9VHxUSzM4MjY9VHxUSzM4Mjc9VHxUSzM4Mjg9VHxUSzM4MzA9VHxUSzM4MzE9VHxUSzM4MzY9VHxUSzM4Mzg9VHxUSzM4Mzk9VHxUSzM4NDI9VHxUSzM4NDk9VHxUSzM4NTA9VHxUSzM4NTQ9
VHxUSzM4NTY9VHxUSzM4NTc9VHxUSzM4NTg9VHxUSzM4NTk9VHxUSzM4NjA9VHxUSzM4NjI9VHxUSzM4Nzk9VHxUSzQwNzc9VHxUSzQxNj1UfFRLNDE3PVR8VEs0MTg9VHxUSzQyNT1UfFRLNDU4Mj1UfFRLNDU4OD1UfFRLNDU5NT1UfFRLNDYwM
T1UfFRLNDYwMz1UfFRLNDYwNj1UfFRLNDYwNz1UfFRLNDYwOD1UfFRLNDYwOT1UfFRLNDYxNz1UfFRYMTIzNj1UfFRYMTMwMT1UfFRYMTc0Mz1UfFRYMTk3PVR8VFgxOTk9VHxUWDIwODM9VHxUWDIxNz1UfFRYMjI2PVR8VFgyMzA9VHxUWDIzNT
1UfFRYMjM3PVR8VFgyNDc9VHxUWDI2OTg9VHxUWDI4NDM9VHxUWDI4Nj1UfFRYMjg3PVR8VFgyOTE9VHxUWDI5Mj1UfFRYMzA1Nz1UfFRYNDMwMj1UfFRYNTQ5PVR8VFg1NTI9VHxUWDU1ND1UfFRYNTU1PVR8VFg1NTY9VHxUWDU1Nz1UfFRYNTU
5PVR8VFkzMDc5NT1UfFcxNzE9WXxaMT1HfFoxMDQ9RXxaMTI5PVl8WjEzMD1ZfFoxMzE9NTIxfFoxNDc9WXxaMjY9QXxaMjc9SXxaMz1IfFozMD1ZfFozMz1ZfFozNz1GfFozOD1GfFo1ND1ZfFo2MT0zfFo3MT0zfA0KQWNjZXB0LUVuY29kaW5n
OiBnemlwLCBkZWZsYXRlLCBzZGNoDQpBYw=="}
Updated by Josh Lane over 7 years ago
I've run the commands provided for the interface and retested but still have the same behavior, no content in http.hostname or http.hostname.raw fields. Any input is welcomed.
Updated by Jason Ish over 7 years ago
I probably should have told you to turn off the send offloads as well. After doing something like:
ethtool -K ${IF} tso off
ethtool -K ${IF} gro off
ethtool -K ${IF} lro off
ethtool -K ${IF} gso off
ethtool -K ${IF} rx off
ethtool -K ${IF} tx off
ethtool -K ${IF} sg off
ethtool -K ${IF} rxvlan off
ethtool -K ${IF} txvlan off
Can you please provide another pcap so we can verify the TCP checksum is correct.
Thanks.
Updated by Josh Lane over 7 years ago
I've retested with the ethtool changes provided, restarting Suricata 3.1.2 and the result is no http.hostname content. Can you expand on the TCP checksum problem for the PCAP? Thanks.
Updated by Jason Ish over 7 years ago
So what I did was open your pcap in wireshark, right click on the first packet, then "Protocol Preferences", then "Validate the TCP checksum if possible". This will show a few packets with a bad TCP checksum and I am wondering if offloads are getting in the way. It would be useful to know if taking a new pcap after disabling the offloads resolves the bad TCP checksum.
You can also run Suricata with "-k none" which disables checksum validation, doing this with your pcap I get the hostname in all the expected places.
Updated by Jason Ish over 7 years ago
Sorry, upon further inspection, fixing the offloads should fix the checksums in your pcap, but will not fix the hostname showing up in the event.
The actual matching of that rule on the URI may be done before the header is fully parsed, resulting in an alert being logged before all the http information is parsed. I suspect this occurs for this traffic is the URI is so long, and the request being spread across more than a single tcp packet.
Updated by Josh Lane over 7 years ago
We've disabled the lro and gro offload on the interfaces and will capture new pcap for validation this is fixed. Will keep you up to date.
Actions
#11
Updated by Josh Lane over 7 years ago
- File broken.pcap broken.pcap added
- File working.pcap working.pcap added
We have both a working and a non-working pcap after the changes. Any ideas why one works and one is broken? Both were pulled after the interface changes were made for lro and gro off. Thanks.
Updated by Victor Julien about 7 years ago
I don't think this is something we can really address. The URI is inspected as soon as it's available, and we raise the alert also ASAP. We log whatever http fields we have available at that time, which in this case isn't a whole lot. Postponing the alert is not an option.
We recently added support for a per flow 'has alert' flag. Perhaps this could be used to extend the http logger to only log those http flows that raised alerts. It's flow based though, and a single flow can have a lot of http transactions.
Updated by Josh Lane about 7 years ago
What version is this flag added to be used?
Updated by Andreas Herz about 5 years ago
Did you look into this flag as an option?
Updated by Victor Julien almost 5 years ago
- Tracker changed from Bug to Support
- Status changed from New to Closed
- Assignee deleted (
OISF Dev) - Target version deleted (
TBD)
Flag was added in 4.1.
Actions