[Oisf-users] Setting up a rule to capture all Javascript files traversing the network
Peter Manev
petermanev at gmail.com
Thu Aug 11 18:50:51 UTC 2016
> --
> Regards,
> Peter Manev
> On 11 Aug 2016, at 17:12, Dave Florek <dave.a.florek at gmail.com> wrote:
>
> Hi,
>
> I'm trying to setup a rule to capture all Javascript (.js) files that are traversing my network. Here is the rule I created to do it. The problem is that it's giving me more files that are outside the .js extension and I'm wondering if the filemagic command has a property for javascript files or if there is a better way to construct the rule to capture only .js extension types.
>
>
> alert http any any -> any any (msg:"FILEXT js"; flow:established,to_server;filestore; sid:9; rev:1;)
The rule above will try to store every single file it sees to disk.
You should employ some additional file keywords (filemagic) in order to get just Java scripts. Some more info can be found here -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords
>
> Thanks in advance,
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
More information about the Oisf-users
mailing list