<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Thanks Wu Xiuheng, </p>
<p>I have setup the force-filestore to yes in suricata.yaml, but it
still not work. After diving into the source code, I found the
real reason is caused by dyn_port == 0. And I continue to check
why the dyn_port is 0, and I found the case FTP_COMMON_PORT in
method FTPParseRequest doesn't handler the PORT command, please
see my PR: <a class="moz-txt-link-freetext" href="https://github.com/OISF/suricata/pull/3302">https://github.com/OISF/suricata/pull/3302</a>.<br>
</p>
<p>Best regards,</p>
<p>Kris<br>
</p>
<br>
<div class="moz-cite-prefix">在 2018年03月21日 11:17, Xiuheng Wu 写道:<br>
</div>
<blockquote type="cite"
cite="mid:992A9D89-8C2E-417B-BADF-968EB02EEF94@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
Hi,
<div><br>
</div>
<div>> <span style="background-color: rgba(255, 255, 255, 0);"><span
class="n" style="orphans: 2; widows: 2; box-sizing:
border-box;">alert</span><span style="orphans: 2; widows:
2;"> </span><span class="n" style="orphans: 2; widows: 2;
box-sizing: border-box;">http</span><span style="orphans: 2;
widows: 2;"> </span><span class="nb" style="orphans: 2;
widows: 2; box-sizing: border-box;">any</span><span
style="orphans: 2; widows: 2;"> </span><span class="nb"
style="orphans: 2; widows: 2; box-sizing: border-box;">any</span><span
style="orphans: 2; widows: 2;"> </span><span class="o"
style="orphans: 2; widows: 2; box-sizing: border-box;
font-weight: bold;">-></span><span style="orphans: 2;
widows: 2;"> </span><span class="nb" style="orphans: 2;
widows: 2; box-sizing: border-box;">any</span><span
style="orphans: 2; widows: 2;"> </span><span class="nb"
style="orphans: 2; widows: 2; box-sizing: border-box;">any</span><span
style="orphans: 2; widows: 2;"> </span><span class="p"
style="orphans: 2; widows: 2; box-sizing: border-box;">(</span><span
class="n" style="orphans: 2; widows: 2; box-sizing:
border-box;">msg</span><span class="p" style="orphans: 2;
widows: 2; box-sizing: border-box;">:</span><span class="s2"
style="orphans: 2; widows: 2; box-sizing: border-box;">"FILE
store all"</span><span class="p" style="orphans: 2; widows:
2; box-sizing: border-box;">;</span><span style="orphans: 2;
widows: 2;"> </span><span class="n" style="orphans: 2;
widows: 2; box-sizing: border-box;">filestore</span><span
class="p" style="orphans: 2; widows: 2; box-sizing:
border-box;">;</span><span style="orphans: 2; widows: 2;"> </span><span
class="n" style="orphans: 2; widows: 2; box-sizing:
border-box;">sid</span><span class="p" style="orphans: 2;
widows: 2; box-sizing: border-box;">:</span><span class="mi"
style="orphans: 2; widows: 2; box-sizing: border-box;">1</span><span
class="p" style="orphans: 2; widows: 2; box-sizing:
border-box;">;</span><span style="orphans: 2; widows: 2;"> </span><span
class="n" style="orphans: 2; widows: 2; box-sizing:
border-box;">rev</span><span class="p" style="orphans: 2;
widows: 2; box-sizing: border-box;">:</span><span class="mi"
style="orphans: 2; widows: 2; box-sizing: border-box;">1</span><span
class="p" style="orphans: 2; widows: 2; box-sizing:
border-box;">;)</span></span><br>
Since you specified `http` as protocol keyword, ftp traffic
would not match. Try `ftp` or just `any`.</div>
<div>
<div>You can also try to set ‘force-filestore: yes’ in
suricata.yaml to test the extraction without a rule file.</div>
<div><br>
</div>
<div>Regards,</div>
<div>Wu Xiuheng</div>
<div><br>
</div>
<div><br>
在 2018年3月19日,17:34,zhangqs <<a
href="mailto:zhangqs@act.buaa.edu.cn" moz-do-not-send="true">zhangqs@act.buaa.edu.cn</a>>
写道:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Hi guys,<br>
<br>
I have been struggling a few days to the function file
extraction, the reference doc is:
<a class="moz-txt-link-freetext"
href="http://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html?highlight=ftp"
moz-do-not-send="true">http://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html?highlight=ftp</a>.
The protocol that I want to use is FTP. <br>
1) Suricata version is latest that cloned from github.<br>
2) I setup the suricata.yaml: file-store.enabled: yes<br>
3) I create a rule file hello.rules, its content is: <br>
<pre style="box-sizing: border-box; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 12px; white-space: pre; margin: 0px; padding: 12px; line-height: normal; display: block; overflow: auto; color: rgb(64, 64, 64); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;"><span class="n" style="box-sizing: border-box; color: rgb(51, 51, 51);">alert</span> <span class="n" style="box-sizing: border-box; color: rgb(51, 51, 51);">http</span> <span class="nb" style="box-sizing: border-box; color: rgb(0, 134, 179);">any</span> <span class="nb" style="box-sizing: border-box; color: rgb(0, 134, 179);">any</span> <span class="o" style="box-sizing: border-box; font-weight: bold;">-></span> <span class="nb" style="box-sizing: border-box; color: rgb(0, 134, 179);">any</span> <span class="nb" style="box-sizing: border-box; color: rgb(0, 134, 179);">any</span> <span class="p" style="box-sizing: border-box;">(</span><span class="n" style="box-sizing: border-box; color: rgb(51, 51, 51);">msg</span><span class="p" style="box-sizing: border-box;">:</span><span class="s2" style="box-sizing: border-box; color: rgb(221, 17, 68);">"FILE store all"</span><span class="p" style="box-sizing: border-box;">;</span> <span class="n" style="box-sizing: border-box; color: rgb(51, 51, 51);">filestore</span><span class="p" style="box-sizing: border-box;">;</span> <span class="n" style="box-sizing: border-box; color: rgb(51, 51, 51);">sid</span><span class="p" style="box-sizing: border-box;">:</span><span class="mi" style="box-sizing: border-box; color: rgb(0, 153, 153);">1</span><span class="p" style="box-sizing: border-box;">;</span> <span class="n" style="box-sizing: border-box; color: rgb(51, 51, 51);">rev</span><span class="p" style="box-sizing: border-box;">:</span><span class="mi" style="box-sizing: border-box; color: rgb(0, 153, 153);">1</span><span class="p" style="box-sizing: border-box;">;)
</span></pre>
<span class="p" style="box-sizing: border-box;">4)</span>
./configure --prefix=/usr/ --sysconfdir=/etc/
--localstatedir=/var/<br>
5) make && make install <br>
<br>
My testing pcap is in the attachment. but I cannot find the
file(Music.mp3) was extracted and saved into the disk
(/var/log/suricata/files/). <br>
Has anybody ever been successful about extraction FTP file
into disk?<br>
<br>
And then I read the code, and cannot find which code is
responsible for saving file into the disk? <br>
I guess the process is:<br>
<pre style="background-color:#ffffff;color:#000000;font-family:'DejaVu Sans Mono';font-size:11.3pt;">FTPDataParseRequest-->FTPDataParse-->FileOpenFile|FileAppendData--><span style="color:#371f80;">StreamingBuffer
</span><span style="color:#371f80;"></span></pre>
but the data is still in memory, where is save the
StreamingBuffer into the disk?<br>
<br>
Any advice is welcome.<br>
Thanks a lot,<br>
Kris<br>
<br>
<pre style="background-color:#ffffff;color:#000000;font-family:'DejaVu Sans Mono';font-size:11.3pt;"><span style="color:#371f80;"></span></pre>
<span class="p" style="box-sizing: border-box;"></span> </div>
</blockquote>
<blockquote type="cite">
<div><<a class="moz-txt-link-abbreviated" href="ftp://ftp.pcap">ftp.pcap</a>></div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Suricata IDS Devel mailing list: <a
href="mailto:oisf-devel@openinfosecfoundation.org"
moz-do-not-send="true">oisf-devel@openinfosecfoundation.org</a></span><br>
<span>Site: <a href="http://suricata-ids.org"
moz-do-not-send="true">http://suricata-ids.org</a> |
Participate: <a
href="http://suricata-ids.org/participate/"
moz-do-not-send="true">http://suricata-ids.org/participate/</a></span><br>
<span>List: <a
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel"
moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a></span><br>
<span>Redmine: <a
href="https://redmine.openinfosecfoundation.org/"
moz-do-not-send="true">https://redmine.openinfosecfoundation.org/</a></span><br>
<span></span><br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>