Project

General

Profile

Bug #2326

File extraction not properly handling http range requests

Added by charlie krause over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi, I have suricata configured to only extract PE file magic but I am getting filemagic of type "data" extracted. The reason appears to be that Suricata extracts and stores segments separately when an exe is downloaded with an HTTP Range request? I would expect Suri to record this as a PE filemagic type and for the Size to be the reassembled size of the exe. My libhtp settings are set to defaults.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Filemagic Windows executable"; filemagic:"for MS Windows"; filestore; reference:blah; sid:1000001; rev:1;)

/usr/bin/suricata -V
This is Suricata version 4.0.0 RELEASE

$ cat file.18528.10.meta
TIME: 11/22/2017-19:
SRC IP: 67.24.x.x
DST IP: 192.168.x.x
PROTO: 6
SRC PORT: 80
DST PORT: 54038
APP PROTO: http
HTTP URI: <unknown>
HTTP HOST: <unknown>
HTTP REFERER: <unknown>
HTTP USER AGENT: <unknown>
FILENAME: /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe
MAGIC: data
STATE: CLOSED
SHA256: 70283227118ccca7d589629c0cfd0225ffdc0855a2d78705c80545c641c4754e
SIZE: 36831

$ file file.18528.10
file.18528.10: data

File was downloaded via BITS as a series of segments (were 6 in total):

Based on the file size in the metadata file, looks like Suri saved one of the middle segments:

GET /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 20 Nov 2017 20:32:23 GMT
Range: bytes=62435-99265
User-Agent: Microsoft BITS/7.5
Host: download.windowsupdate.com
HTTP/1.1 206 Partial Content
Date: Wed, 22 Nov 2017 00:10:40 GMT
Content-Type: application/octet-stream
Content-Length: 36831
Connection: keep-alive
Cache-Control: public,max-age=172800
ETag: "806594ab3e62d31:0"
Expires: Thu, 23 Nov 2017 00:10:43 GMT

First Segment:

GET /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 20 Nov 2017 20:32:23 GMT
Range: bytes=0-6266
User-Agent: Microsoft BITS/7.5
Host: download.windowsupdate.com
HTTP/1.1 206 Partial Content
Date: Wed, 22 Nov 2017 00:10:40 GMT
Content-Type: application/octet-stream
Content-Length: 6267
Connection: keep-alive
Cache-Control: public,max-age=172800
ETag: "806594ab3e62d31:0"
Expires: Thu, 23 Nov 2017 00:10:43 GMT

Last Segment seen:

GET /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 20 Nov 2017 20:32:23 GMT
Range: bytes=373171-545439
User-Agent: Microsoft BITS/7.5
Host: download.windowsupdate.com
HTTP/1.1 206 Partial Content
Date: Wed, 22 Nov 2017 00:10:40 GMT
Content-Type: application/octet-stream
Content-Length: 172269
Connection: keep-alive
Cache-Control: public,max-age=172800
ETag: "806594ab3e62d31:0"
Expires: Thu, 23 Nov 2017 00:10:43 GMT


Related issues

Is duplicate of Feature #1576: http: byte-range supportAssignedPhilippe AntoineActions
#1

Updated by Victor Julien over 2 years ago

Byte-ranges are not supported yet. See #1576

#2

Updated by Andreas Herz over 2 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
#3

Updated by Andreas Herz over 1 year ago

  • Assignee set to Community Ticket
#4

Updated by Victor Julien over 1 year ago

#5

Updated by Victor Julien over 1 year ago

  • Status changed from New to Closed
  • Assignee deleted (Community Ticket)
  • Target version deleted (TBD)

Closing as duplicate of #1576

Also available in: Atom PDF