<div dir="ltr">Thanks. I'll try that route.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 11, 2016 at 4:23 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><span class=""><div><br></div><div><br>On 11 Aug 2016, at 21:12, Dave Florek <<a href="mailto:dave.a.florek@gmail.com" target="_blank">dave.a.florek@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">Thanks Peter. <div><br></div><div>How can I find a list of all the libmagic types to pick out what's Javascript matching?</div></div></div></blockquote><div><br></div></span><div>The most accurate will be on the system the Suricata runs - copy over or find a JavaScript file and try - </div><div><br></div><div>file somejavascriptfile.js</div><div><br></div><div>That should return the filemagic info you are after.</div><span class=""><div><br></div><br><blockquote type="cite"><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 11, 2016 at 2:50 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
> --<br>
> Regards,<br>
> Peter Manev<br>
<span>> On 11 Aug 2016, at 17:12, Dave Florek <<a href="mailto:dave.a.florek@gmail.com" target="_blank">dave.a.florek@gmail.com</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> I'm trying to setup a rule to capture all Javascript (.js) files that are traversing my network. Here is the rule I created to do it. The problem is that it's giving me more files that are outside the .js extension and I'm wondering if the filemagic command has a property for javascript files or if there is a better way to construct the rule to capture only .js extension types.<br>
><br>
><br>
> alert http any any -> any any (msg:"FILEXT js"; flow:established,to_server;fil<wbr>estore; sid:9; rev:1;)<br>
<br>
<br>
</span>The rule above will try to store every single file it sees to disk.<br>
<br>
You should employ some additional file keywords (filemagic) in order to get just Java scripts. Some more info can be found here -<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords" rel="noreferrer" target="_blank">https://redmine.openinfosecfou<wbr>ndation.org/projects/suricata/<wbr>wiki/File-keywords</a><br>
<br>
<br>
><br>
> Thanks in advance,<br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
> Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
</blockquote></div><br></div>
</div></blockquote></span></div></blockquote></div><br></div>