<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

  <meta content="text/html;charset=iso-8859-1" http-equiv="Content-Type">

</head>

<body bgcolor="#ffffff" text="#000000">

On 01/24/10 11:50, Al MailingList wrote:

<blockquote

 cite="mid:a08881bc1001241150v194d7227v1b199c7dd61ff639@mail.gmail.com"

 type="cite">

  <pre wrap="">I would have thought also that by doing it in an engine like suricata

instead of tcpxtract is that you can better handle things like gzip,

chunked encoding, etc, since the engine is probably already handling

all these things?

Al

  </pre>

</blockquote>

I don't know enough engine details but I think the inline gzip and

chunked decoding will be quite handy to detect attacks embedded in HTTP

transport. <br>

<br>

Yaomin<br>

<br>

<br>

<blockquote

 cite="mid:a08881bc1001241150v194d7227v1b199c7dd61ff639@mail.gmail.com"

 type="cite">

  <pre wrap="">

On Thu, Jan 21, 2010 at 8:02 AM, Yao-Min Chen <a class="moz-txt-link-rfc2396E" href="mailto:Yaomin.Chen@sun.com"><Yaomin.Chen@sun.com></a> wrote:

  </pre>

  <blockquote type="cite">

    <pre wrap="">One reason for doing full capture and file extraction is to detect malware

files in transit, so we can either block the files or immediately report the

host that receives such a file.  The latter can be used as a trigger for

first responses.

If Suricata can do this in memory instead of handing off the pcap files to

external tools there is efficiency and response time to be gained.

Yaomin

On 01/20/10 23:38, Victor Julien wrote:

The ISC post lists quite a few tools that already support extracting

files from pcaps. Is there something new and unsupported by those tools

you are looking for in Suricata?

Will Metcalf wrote:

Jerry,

We will keep this in mind, although I think stuff like this may belong

in post-analysis.  That being said does anybody have an interest in

flow/full traffic capture as an option?

Regards,

Will

On Wed, Jan 20, 2010 at 4:22 PM, Jerry <<a class="moz-txt-link-abbreviated" href="mailto:jerry@cybercave.cz">jerry@cybercave.cz</a>

<a class="moz-txt-link-rfc2396E" href="mailto:jerry@cybercave.cz"><mailto:jerry@cybercave.cz></a>> wrote:

    Hi development team/list,

    I have a question regarding features development. Are you planning to

    include extraction files from packet stream into Suricata?

    It would be nice to have something that covers this issue:

    <a class="moz-txt-link-freetext" href="http://isc.sans.org/diary.html?storyid=6961">http://isc.sans.org/diary.html?storyid=6961</a>

    Thank you very much in advance

    Jerry

    --

    Defending network against intrusion is like trying to keep a squid

    inside a mesh bag. Question is, who will give up first :)

    _______________________________________________

    Oisf-devel mailing list

    <a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>

    <a class="moz-txt-link-rfc2396E" href="mailto:Oisf-devel@openinfosecfoundation.org"><mailto:Oisf-devel@openinfosecfoundation.org></a>

    <a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>

------------------------------------------------------------------------

_______________________________________________

Oisf-devel mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>

<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>

_______________________________________________

Oisf-devel mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>

<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>

    </pre>

  </blockquote>

  <pre wrap=""><!---->_______________________________________________

Oisf-devel mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>

<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>

  </pre>

</blockquote>

<br>

<pre class="moz-signature" cols="72">

</pre>

</body>

</html>