Hi,<br><br>it is excellent and with some scripting you can integrate it with cuckoobox which if you filter out suspicious files you can analyze <a href="http://www.cuckoosandbox.org/about.html">http://www.cuckoosandbox.org/about.html</a>. Although to get accurate carving sometimes it can be best to redownload the file based on information in the meta file if you can determine it to be suspicious for you (suspicious attributes about the file, geolocation, attributes etc).<br>
<br>Regards,<br>Kevin<br><br><div class="gmail_quote">On 19 February 2013 09:30, C. L. Martinez <span dir="ltr"><<a href="mailto:carlopmart@gmail.com" target="_blank">carlopmart@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all,<br>
<br>
I would like to deploy some type of file carving technique (automated<br>
or not) in my actual infrastructure (three suricata sensors with full<br>
pcap traffic captured). In this first stage, I am only interested in<br>
office (word and excel files) and pdf files (and only that comes via<br>
http requests) and sends them to a clamav process or analyze using<br>
cuckoo sandbox.<br>
<br>
I see somethig like this in<br>
<a href="https://home.regit.org/2012/10/defend-your-network-from-word/" target="_blank">https://home.regit.org/2012/10/defend-your-network-from-word/</a>, but my<br>
sensors are in IDS mode.<br>
<br>
Somebody have tried something like this?? Any tip or example??<br>
<br>
Thanks.<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br>