Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX: Hunt query for HTTP EXE downloads should work for both Zeek and Suricata #3753

Closed
dougburks opened this issue Apr 4, 2021 · 0 comments · Fixed by #3755
Closed

FIX: Hunt query for HTTP EXE downloads should work for both Zeek and Suricata #3753

dougburks opened this issue Apr 4, 2021 · 0 comments · Fixed by #3755
Labels
must

Comments

@dougburks
Copy link
Contributor

In Hunt, we have a query for HTTP EXE downloads:

event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host

This query works if you're running Zeek for metadata, but it doesn't work if you're running Suricata for metadata. We can fix this as follows:

event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
must
Projects
None yet
Milestone
No milestone
2 participants
@dougburks @TOoSmOotH