<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=iso-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/24/10 11:50, Al MailingList wrote:
<blockquote
cite="mid:a08881bc1001241150v194d7227v1b199c7dd61ff639@mail.gmail.com"
type="cite">
<pre wrap="">I would have thought also that by doing it in an engine like suricata
instead of tcpxtract is that you can better handle things like gzip,
chunked encoding, etc, since the engine is probably already handling
all these things?
Al
</pre>
</blockquote>
I don't know enough engine details but I think the inline gzip and
chunked decoding will be quite handy to detect attacks embedded in HTTP
transport. <br>
<br>
Yaomin<br>
<br>
<br>
<blockquote
cite="mid:a08881bc1001241150v194d7227v1b199c7dd61ff639@mail.gmail.com"
type="cite">
<pre wrap="">
On Thu, Jan 21, 2010 at 8:02 AM, Yao-Min Chen <a class="moz-txt-link-rfc2396E" href="mailto:Yaomin.Chen@sun.com"><Yaomin.Chen@sun.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">One reason for doing full capture and file extraction is to detect malware
files in transit, so we can either block the files or immediately report the
host that receives such a file. The latter can be used as a trigger for
first responses.
If Suricata can do this in memory instead of handing off the pcap files to
external tools there is efficiency and response time to be gained.
Yaomin
On 01/20/10 23:38, Victor Julien wrote:
The ISC post lists quite a few tools that already support extracting
files from pcaps. Is there something new and unsupported by those tools
you are looking for in Suricata?
Will Metcalf wrote:
Jerry,
We will keep this in mind, although I think stuff like this may belong
in post-analysis. That being said does anybody have an interest in
flow/full traffic capture as an option?
Regards,
Will
On Wed, Jan 20, 2010 at 4:22 PM, Jerry <<a class="moz-txt-link-abbreviated" href="mailto:jerry@cybercave.cz">jerry@cybercave.cz</a>
<a class="moz-txt-link-rfc2396E" href="mailto:jerry@cybercave.cz"><mailto:jerry@cybercave.cz></a>> wrote:
Hi development team/list,
I have a question regarding features development. Are you planning to
include extraction files from packet stream into Suricata?
It would be nice to have something that covers this issue:
<a class="moz-txt-link-freetext" href="http://isc.sans.org/diary.html?storyid=6961">http://isc.sans.org/diary.html?storyid=6961</a>
Thank you very much in advance
Jerry
--
Defending network against intrusion is like trying to keep a squid
inside a mesh bag. Question is, who will give up first :)
_______________________________________________
Oisf-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:Oisf-devel@openinfosecfoundation.org"><mailto:Oisf-devel@openinfosecfoundation.org></a>
<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
------------------------------------------------------------------------
_______________________________________________
Oisf-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
_______________________________________________
Oisf-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
</pre>
</blockquote>
<pre wrap=""><!---->_______________________________________________
Oisf-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>