[Oisf-devel] Extracting file from stream
Edward Bjarte Fjellskål
edward.fjellskal at redpill-linpro.com
Thu Jan 21 10:58:45 UTC 2010
Yao-Min Chen wrote:
> One reason for doing full capture and file extraction is to detect
> malware files in transit, so we can either block the files or
> immediately report the host that receives such a file. The latter can
> be used as a trigger for first responses.
>
> If Suricata can do this in memory instead of handing off the pcap files
> to external tools there is efficiency and response time to be gained.
>
> Yaomin
Hi list,
My aim with fpcgui (Full Packet Capture GUI) is for offloading this
from an IDS sensor. The IDS could have a preprocessor (or just a tool
that reads the unified log for extraction of just the sessions that
trigger events (If you know Sourcefire, im planing to use Estreamer for
this)) that sends off a command to fpcgui, that would carve out the pcap
of the session in question.
You can then have a ringbuffer of full pcap data, and yet another
ringbuffer with pcaps from sessions that triggered events etc.
For each new sessions that is automagically(tm) carved out, you can
send that through (example) tcpxtract->clamav and if virus found,
send an event to your favorite event monitoring system (Sguil etc.).
Read my last blogpost of fpcgui if it sounds interesting.
http://www.gamelinux.org/?p=67
I have a demo up, so you can test it if someone is interested.
e
>
> On 01/20/10 23:38, Victor Julien wrote:
>> The ISC post lists quite a few tools that already support extracting
>> files from pcaps. Is there something new and unsupported by those tools
>> you are looking for in Suricata?
>>
>> Will Metcalf wrote:
>>
>>> Jerry,
>>>
>>> We will keep this in mind, although I think stuff like this may belong
>>> in post-analysis. That being said does anybody have an interest in
>>> flow/full traffic capture as an option?
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Wed, Jan 20, 2010 at 4:22 PM, Jerry <jerry at cybercave.cz
>>> <mailto:jerry at cybercave.cz>> wrote:
>>>
>>> Hi development team/list,
>>> I have a question regarding features development. Are you planning to
>>> include extraction files from packet stream into Suricata?
>>>
>>> It would be nice to have something that covers this issue:
>>> http://isc.sans.org/diary.html?storyid=6961
>>>
>>> Thank you very much in advance
>>>
>>> Jerry
>>>
>>> --
>>> Defending network against intrusion is like trying to keep a squid
>>> inside a mesh bag. Question is, who will give up first :)
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> <mailto:Oisf-devel at openinfosecfoundation.org>
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>>
>>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
More information about the Oisf-devel
mailing list