[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oisf-users
Subject:    Re: [Oisf-users] user agent parsing error
From:       Peter Manev <petermanev () gmail ! com>
Date:       2017-10-07 5:05:30
Message-ID: 89FE972E-3CFF-4A1C-A4CB-5F87A30280EB () gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


> On 6 Oct 2017, at 18:36, erik clark <philosnef@gmail.com> wrote:
> 
> I am seeing Suri parsing the following out as a UA. Not sure why this is occurring. \
> Method is correctly broken out. Site referring the traffic is linguee.com. Not sure \
> if its specific to something linguee.com is doing, or if this is a bug in the \
> parser for Suri. The _TEST_ alert from ET (2009545) will fire on traffic coming \
> from this site, and the malformed http information shoved into the json alert. 
> http_user_agent:	Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, \
> like Gecko) GET /gampad/ads?gdfp_req=1(morestufffollowshere) 
> payload_printable:	GET /gampad/ads?gdfp_req=1


Can you share a pcap that can reproduce the case?

> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


[Attachment #5 (text/html)]

<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><br><div><br>On 6 Oct 2017, at 18:36, erik \
clark &lt;<a href="mailto:philosnef@gmail.com">philosnef@gmail.com</a>&gt; \
wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">I am seeing Suri \
parsing the following out as a UA. Not sure why this is occurring. Method is \
correctly broken out. Site referring the traffic is <a \
href="http://linguee.com">linguee.com</a>. Not sure if its specific to something <a \
href="http://linguee.com">linguee.com</a> is doing, or if this is a bug in the parser \
for Suri. The _TEST_ alert from ET (2009545) will fire on traffic coming from this \
site, and the malformed http information shoved into the json \
alert.<div><br></div><div><span class="gmail-key gmail-level-2" \
style="color:rgb(51,51,51);font-family:&quot;Droid Sans \
Mono&quot;,Consolas,Monaco,&quot;Courier \
New&quot;,Courier,monospace;font-size:12px;background-color:rgba(61,171,255,0.12)"><span \
class="gmail-key-name" \
style="color:rgb(214,86,60);font-weight:700;white-space:pre-wrap">http_user_agent</span>:	<span \
class="gmail-t gmail-string" \
style="color:rgb(17,168,139);white-space:pre-wrap">Mozilla/5.0 (Windows NT 6.1; \
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) GET \
/gampad/ads?gdfp_req=1(morestufffollowshere)</span></span><br></div><div><span \
class="gmail-key gmail-level-2" style="color:rgb(51,51,51);font-family:&quot;Droid \
Sans Mono&quot;,Consolas,Monaco,&quot;Courier \
New&quot;,Courier,monospace;font-size:12px;background-color:rgba(61,171,255,0.12)"><span \
class="gmail-t gmail-string" \
style="color:rgb(17,168,139);white-space:pre-wrap"><br></span></span></div><div><span \
class="gmail-key gmail-level-2" style="color:rgb(51,51,51);font-family:&quot;Droid \
Sans Mono&quot;,Consolas,Monaco,&quot;Courier \
New&quot;,Courier,monospace;font-size:12px;background-color:rgba(61,171,255,0.12)"><span \
class="gmail-t gmail-string" style="color:rgb(17,168,139);white-space:pre-wrap"><span \
class="gmail-key gmail-level-1" style="color:rgb(51,51,51);white-space:normal"><span \
class="gmail-key-name" \
style="color:rgb(214,86,60);font-weight:700;white-space:pre-wrap">payload_printable</span>:	<span \
class="gmail-t gmail-string" style="color:rgb(17,168,139);white-space:pre-wrap">GET \
/gampad/ads?gdfp_req=1</span></span><br></span></span></div></div></div></blockquote><div><br></div><div><br></div><div>Can \
you share a pcap that can reproduce the case?</div><br><blockquote \
type="cite"><div><div dir="ltr"><div><br></div></div> </div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>Suricata \
IDS Users mailing list: <a \
href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: \
<a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a \
href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: \
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https:// \
lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: \
<a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a \
href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote></body></html>



[Attachment #6 (text/plain)]

_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic