Bug #2326
closedFile extraction not properly handling http range requests
Description
Hi, I have suricata configured to only extract PE file magic but I am getting filemagic of type "data" extracted. The reason appears to be that Suricata extracts and stores segments separately when an exe is downloaded with an HTTP Range request? I would expect Suri to record this as a PE filemagic type and for the Size to be the reassembled size of the exe. My libhtp settings are set to defaults.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Filemagic Windows executable"; filemagic:"for MS Windows"; filestore; reference:blah; sid:1000001; rev:1;)
/usr/bin/suricata -V
This is Suricata version 4.0.0 RELEASE
$ cat file.18528.10.meta
TIME: 11/22/2017-19:
SRC IP: 67.24.x.x
DST IP: 192.168.x.x
PROTO: 6
SRC PORT: 80
DST PORT: 54038
APP PROTO: http
HTTP URI: <unknown>
HTTP HOST: <unknown>
HTTP REFERER: <unknown>
HTTP USER AGENT: <unknown>
FILENAME: /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe
MAGIC: data
STATE: CLOSED
SHA256: 70283227118ccca7d589629c0cfd0225ffdc0855a2d78705c80545c641c4754e
SIZE: 36831
$ file file.18528.10
file.18528.10: data
File was downloaded via BITS as a series of segments (were 6 in total):
Based on the file size in the metadata file, looks like Suri saved one of the middle segments:
GET /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 20 Nov 2017 20:32:23 GMT
Range: bytes=62435-99265
User-Agent: Microsoft BITS/7.5
Host: download.windowsupdate.com
HTTP/1.1 206 Partial Content
Date: Wed, 22 Nov 2017 00:10:40 GMT
Content-Type: application/octet-stream
Content-Length: 36831
Connection: keep-alive
Cache-Control: public,max-age=172800
ETag: "806594ab3e62d31:0"
Expires: Thu, 23 Nov 2017 00:10:43 GMT
First Segment:
GET /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 20 Nov 2017 20:32:23 GMT
Range: bytes=0-6266
User-Agent: Microsoft BITS/7.5
Host: download.windowsupdate.com
HTTP/1.1 206 Partial Content
Date: Wed, 22 Nov 2017 00:10:40 GMT
Content-Type: application/octet-stream
Content-Length: 6267
Connection: keep-alive
Cache-Control: public,max-age=172800
ETag: "806594ab3e62d31:0"
Expires: Thu, 23 Nov 2017 00:10:43 GMT
Last Segment seen:
GET /d/msdownload/update/software/defu/2017/11/mpsigstub_ad1d024cfd03b65d2085c60d8ac3fcae5fe93133.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 20 Nov 2017 20:32:23 GMT
Range: bytes=373171-545439
User-Agent: Microsoft BITS/7.5
Host: download.windowsupdate.com
HTTP/1.1 206 Partial Content
Date: Wed, 22 Nov 2017 00:10:40 GMT
Content-Type: application/octet-stream
Content-Length: 172269
Connection: keep-alive
Cache-Control: public,max-age=172800
ETag: "806594ab3e62d31:0"
Expires: Thu, 23 Nov 2017 00:10:43 GMT
Updated by Victor Julien about 7 years ago
Byte-ranges are not supported yet. See #1576
Updated by Andreas Herz about 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Victor Julien almost 6 years ago
- Is duplicate of Feature #1576: http: byte-range support added
Updated by Victor Julien almost 6 years ago
- Status changed from New to Closed
- Assignee deleted (
Community Ticket) - Target version deleted (
TBD)
Closing as duplicate of #1576