@bmeeks Quite a lot of "stuff" in those files... not 100% sure what to look for except (block, alert, action etc?)
Anyway, first off I see this in the block.log (same SID as before):
ffb55d5b-9506-4da7-ac23-c8aa4eb52a4c-image.png
And in the Alerts tab I have this with the same time stamp:
e0ba72c4-1db9-4666-841a-390a3b938928-image.png
And here's from the eve.json file, where I find what I think is the start of what is related to this rule (2021076)? And I believe it ends with ..."bytes 0-1048575/2426344"}]}}
After the first bit of readable info, there's a lot of garbled info, or binary i guess, and possibly hash data, mixed in with text. I think I have figured out that this is actually a MS download of AV data?
But from what I can see it looks like action:allowed ??
{"timestamp":"2023-12-06T14:59:47.731754+0100","flow_id":2024081892321530,"in_iface":"ix1",
"event_type":"alert","src_ip":"151.139.183.24","src_port":80,"dest_ip":"192.168.1.92","dest_port":55069,"proto":"TCP","pkt_src":"wire/pcap","metadata":{"flowbits":["exe.no.referer","http.dottedquadhost","file.exe","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2021076,"rev":2,"signature":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2015_05_08"],"former_category":["INFO"],"updated_at":["2015_05_08"]}},"http":{"hostname":"151.139.183.24","url":"/c/msdownload/update/software/defu/2023/12/am_base_patch1_46a562cb0306caf4167e4ca4cf496900c24dd090.exe?cacheHostOrigin=11.au.download.windowsupdate.com","http_user_agent":"Microsoft-Delivery-Optimization/10.0","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1048575/2426344","start":0,"end":1048575,"size":2426344},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":14052,"http_response_body_printable":"MZ...........@...............................................!..L.!This program cannot be run in DOS mode.\r\r\n......
It then goes on with a lot of unintelligible data and something I think I have identified as a MS AV signature download based on text in the middle of all the data: /c/msdownload/update/software/defu/2023/12/am_base_patch1
Not sure what this is though?? It sais mode=block, but could that be info the MS AV??
"payload_printable":"HTTP/1.1 206 Partial Content\r\nServer: nginx\r\nDate: Wed, 06 Dec 2023 13:59:21 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 2\r\nConnection: keep-alive\r\nCache-Control: public,max-age=172800\r\nLast-Modified: Tue, 05 Dec 2023 23:30:43 GMT\r\nX-Powered-By: ASP.NET\r\nX-CID: 10003\r\nX-CCC: b16aeb46-c642-459e-b5ae-4d702fbef56e\r\nContent-Security-Policy: default-src 'self' http: https: data: blob: 'unsafe-inline'\r\nX-XSS-Protection: 1; mode=block\r\nX-Frame-Options: SAMEORIGIN\r\nX-Cache-Status: HIT\r\nContent-Range: bytes 0-1/2426344\r\n\r\nMZHTTP/1.1 206 Partial Content\r\nServer: nginx\r\nDate: Wed, 06 Dec 2023 13:59:21 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 1048576\r\nConnection: keep-alive\r\nCache-Control: public,max-age=172800\r\nLast-Modified: Tue, 05 Dec 2023 23:30:43 GMT\r\nX-Powered-By: ASP.NET\r\nX-CID: 10003\r\nX-CCC: b16aeb46-c642-459e-b5ae-4d702fbef56e\r\nContent-Security-Policy: default-src 'self' http: https: data: blob: 'unsafe-inline'\r\nX-XSS-Protection: 1; mode=block\r\nX-Frame-Options: SAMEORIGIN\r\nX-Cache-Status: HIT\r\nContent-Range:
