Prefix match but not hostkey?
64 views
Skip to first unread message
Sam Cleaver
Jan 16, 2012, 5:10:02 PM1/16/12
to Google Safe Browsing API
Hi Guys,
Any help with this brainteaser would be greatly appreciated :)
Looking up: aboutconvert.ru
Gets canonicalized to: aboutconvert.ru/
Produces hash:
da9b8756b12a640dada01ceaac125d0eeacc4609f1176c18a5f4d0228728e58b
Hostkey: da9b8756
So if my understanding is correct, I go through and see if I have any
hostkey matches, if I don't then its safe?
The thing that I'm stuck on is that the url above is malicious but
when hashed matches a prefix, not a hostkey.
Matches prefix: da9b8756
Related hostkey: 5a7a8a00
Related chunk: 60955
The related hostkey has some 205 prefixes underneath it. So either I'm
not processing the response correctly or I'm not processing the lookup
correctly.
If anyone could check the hashes above in their database to see what
they get it'd be a huge help.
Cheers :)
Any help with this brainteaser would be greatly appreciated :)
Looking up: aboutconvert.ru
Gets canonicalized to: aboutconvert.ru/
Produces hash:
da9b8756b12a640dada01ceaac125d0eeacc4609f1176c18a5f4d0228728e58b
Hostkey: da9b8756
So if my understanding is correct, I go through and see if I have any
hostkey matches, if I don't then its safe?
The thing that I'm stuck on is that the url above is malicious but
when hashed matches a prefix, not a hostkey.
Matches prefix: da9b8756
Related hostkey: 5a7a8a00
Related chunk: 60955
The related hostkey has some 205 prefixes underneath it. So either I'm
not processing the response correctly or I'm not processing the lookup
correctly.
If anyone could check the hashes above in their database to see what
they get it'd be a huge help.
Cheers :)
Julien Sobrier
Jan 16, 2012, 7:22:35 PM1/16/12
to google-safe-...@googlegroups.com
Add chunk 60955
hostkey: da9b8756
prefix:
full hash: da9b8756b12a640dada01ceaac125d0eeacc4609f1176c18a5f4d0228728e58b
hostkey: da9b8756
prefix:
full hash: da9b8756b12a640dada01ceaac125d0eeacc4609f1176c18a5f4d0228728e58b
The prefix is empty, meaning it is the same as the hostkey. So there
is a local match on aboutconvert.ru/
Julien
> --
> You received this message because you are subscribed to the Google Groups "Google Safe Browsing API" group.
> To post to this group, send email to google-safe-...@googlegroups.com.
> To unsubscribe from this group, send email to google-safe-browsi...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-safe-browsing-api?hl=en.
>
Sam Cleaver
Jan 16, 2012, 7:56:45 PM1/16/12
to Google Safe Browsing API
Thanks Julien,
Hmm, looks like theres something going wrong in my initial chunk
processing then, I have it down in the database as a prefix within a
(different) hostkey.
Out of curiosity would you be able to check how many prefixes hostkey
5a7a8a00 contains please?
Thanks for your help :)
Sam
Hmm, looks like theres something going wrong in my initial chunk
processing then, I have it down in the database as a prefix within a
(different) hostkey.
Out of curiosity would you be able to check how many prefixes hostkey
5a7a8a00 contains please?
Thanks for your help :)
Sam
Julien Sobrier
Jan 16, 2012, 8:45:43 PM1/16/12
to google-safe-...@googlegroups.com
I use Net::Google::SafeBrowsing2 with a Mysql back-end, so I just
queried my database.
queried my database.
Julien
EarlyAdopter
Jan 18, 2012, 4:15:36 AM1/18/12
to Google Safe Browsing API
FWIW, the GSB Lookup API reports that domain as potentially malware-
infected.
-EA
infected.
-EA
Reply all
Reply to author
Forward
0 new messages