Does Packman repo send Dalvik executables?

suse_rasputin · February 22, 2016, 7:12pm

Hi everybody!

For the last few weeks my IDS (snort) frequently (from time to time, not always) blocks opensuse 13.2 access to packman repository, complaining that there is

ET POLICY Android Dalvik Executable File Download (1:2016856)

02/22/16-17:50:55.421524 ,1,2016856,1,“ET POLICY Android Dalvik Executable File Download”,TCP,134.76.12.5,80,10.0.2.12,55843,6430,Potential Corporate Privacy Violation,1,

Is there any chance this is legitimate traffic or is there something going wrong here?

Kind regards!

rasputin

I_A · February 25, 2016, 10:26pm

well if I’m not mistaken android executable’s are compressed elf’s, I do believe that’s a snort bug as it probably sees packman updates (compressed elf’s) as android executable’s

I’m just speculating here, beyond general android knowledge I have 0 android expertise.

suse_rasputin · February 28, 2016, 2:04pm

Hy! Many thanks for the reply, interesting! I don’t understand why snort does wild only from time to time, but… Will see how thing develop. Kind regards rasputin