[Oisf-devel] how to setup the suricata for extracting the files from ftp protocol and save into disk
zhangqs
zhangqs at act.buaa.edu.cn
Mon Mar 19 09:34:38 UTC 2018
Hi guys,
I have been struggling a few days to the function file extraction, the
reference doc is:
http://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html?highlight=ftp.
The protocol that I want to use is FTP.
1) Suricata version is latest that cloned from github.
2) I setup the suricata.yaml: file-store.enabled: yes
3) I create a rule file hello.rules, its content is:
alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
4) ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
5) make && make install
My testing pcap is in the attachment. but I cannot find the
file(Music.mp3) was extracted and saved into the disk
(/var/log/suricata/files/).
Has anybody ever been successful about extraction FTP file into disk?
And then I read the code, and cannot find which code is responsible for
saving file into the disk?
I guess the process is:
FTPDataParseRequest-->FTPDataParse-->FileOpenFile|FileAppendData-->StreamingBuffer
but the data is still in memory, where is save the StreamingBuffer into
the disk?
Any advice is welcome.
Thanks a lot,
Kris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180319/f2f405f0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ftp.pcap
Type: application/vnd.tcpdump.pcap
Size: 9153 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180319/f2f405f0/attachment-0001.pcap>
More information about the Oisf-devel
mailing list