[Oisf-users] problem with filestore

[erik clark]

Yeah, the sig loads in 3.2 fine. Turns out that this will do a filestore
exactly as the sig is written! So this looks like it just won't work in
3.1.3 for some reason. Sorry for all the trouble. I will look into this a
little more.

On Fri, Mar 10, 2017 at 1:07 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Yeah unfortunately I'm not an expert on libmagic, so I don't know what
> the limitations are.
>
> What version of suricata are you running?  Victor Julien has said that
> your sig loads fine for him, which if it works implies you can now do
> file extraction using hyperscan, instead of libmagic.  So, for example,
> you could add the 'filestore' keyword to the 'ET POLICY PE EXE or DLL
> Windows file download HTTP' and avoid the overhead of libmagic entirely.
>
> I just tested this on v3.2.1 and it's working for PE http downloads!
> This is a *huge* win as libmagic kills performance.
>
> This is documented, but I guess I missed this as a feature addition.
>
> > http://suricata.readthedocs.io/en/latest/rules/file-
> keywords.html?highlight=filestore
>
> I'm copying Victor as you should probably put a note in the
> documentation to avoid using the 'libmagic' keyword, as it really
> impacts performance on a busy sensor.
>
> -Coop
>
> On 3/10/2017 9:36 AM, erik clark wrote:
> > There is a giant problem with using a magic entry though. I have
> > absolutely no idea where in the file that packed statement would be; It
> > might be 30 bytes in, it might be 300 bytes in, or more. Because of
> > this, I have no offset I can provide to begin looking for the string.
> > Even when I specifiy it with
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170310/a293913a/attachment-0002.html>