[Oisf-devel] Extracting file from stream

Yao-Min Chen Yaomin.Chen at Sun.COM
Thu Jan 21 08:02:03 UTC 2010 

One reason for doing full capture and file extraction is to detect 
malware files in transit, so we can either block the files or 
immediately report the host that receives such a file. The latter can be 
used as a trigger for first responses.

If Suricata can do this in memory instead of handing off the pcap files 
to external tools there is efficiency and response time to be gained.

Yaomin

On 01/20/10 23:38, Victor Julien wrote:
> The ISC post lists quite a few tools that already support extracting 
> files from pcaps. Is there something new and unsupported by those tools 
> you are looking for in Suricata?
>
> Will Metcalf wrote:
>   
>> Jerry,
>>
>> We will keep this in mind, although I think stuff like this may belong 
>> in post-analysis.  That being said does anybody have an interest in 
>> flow/full traffic capture as an option?
>>
>> Regards,
>>
>> Will
>>
>> On Wed, Jan 20, 2010 at 4:22 PM, Jerry <jerry at cybercave.cz 
>> <mailto:jerry at cybercave.cz>> wrote:
>>
>>     Hi development team/list,
>>     I have a question regarding features development. Are you planning to
>>     include extraction files from packet stream into Suricata?
>>
>>     It would be nice to have something that covers this issue:
>>     http://isc.sans.org/diary.html?storyid=6961
>>
>>     Thank you very much in advance
>>
>>     Jerry
>>
>>     --
>>     Defending network against intrusion is like trying to keep a squid
>>     inside a mesh bag. Question is, who will give up first :)
>>
>>     _______________________________________________
>>     Oisf-devel mailing list
>>     Oisf-devel at openinfosecfoundation.org
>>     <mailto:Oisf-devel at openinfosecfoundation.org>
>>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>     
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100121/4f8949fe/attachment-0002.html>

More information about the Oisf-devel mailing list