<div dir="ltr">There is a giant problem with using a magic entry though. I have absolutely no idea where in the file that packed statement would be; It might be 30 bytes in, it might be 300 bytes in, or more. Because of this, I have no offset I can provide to begin looking for the string. Even when I specifiy it with<div><br></div><div>0 string $hexhere packed</div><div><br></div><div>and use my custom magic file, it still comes back as text/plainl charset=us-ascii. </div><div><br></div><div>I tested this with a 5 byte text file containing "dos" and the following sig:</div><div><br></div><div>0 string \x64\x6f\x73 pack</div><div><br></div><div>and then did magic -C -m magic_file<br>file -i -m magic_file.mgc $testfile</div><div><br></div><div>No matter what I try, this comes back as an ascii file....</div><div><br><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 9, 2017 at 12:48 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">That's not how the file extraction rules work. You can match on file<br>
name, extension and "magic".<br>
<br>
If you want to match on content you need to use the filemagic keyword<br>
and build a custom magic file. Details are here:<br>
<br>
> <a href="http://stackoverflow.com/questions/7236191/how-to-create-a-custom-magic-file-database" rel="noreferrer" target="_blank">http://stackoverflow.com/quest<wbr>ions/7236191/how-to-create-a-<wbr>custom-magic-file-database</a><br>
<br>
You just define a pattern to match against (like<br>
"eval(function(p,a,c,k,e,d)" and then label it (Javascript eval packed).<br>
Libmagic does the context match, suricata matches against the returned<br>
label. So your rule would look like this:<br>
<br>
> alert http any any -> any any (msg:"FILE packed javascript detected"; filemagic:"Javascript eval packed"; filestore; sid:3; rev:1;)<br>
<br>
-Coop<br>
<div class="m_-4845697131967972267HOEnZb"><div class="m_-4845697131967972267h5"><br>
On 3/9/2017 6:25 AM, erik clark wrote:<br>
> I cant get filestore to work with this rule:<br>
><br>
> alert tcp $external any -> $home any (msg"bleh"; file_data;<br>
> content:"eval(function(p,a,c,k<wbr>,e,d)"; fast_pattern:only; filestore;<br>
> flowbits:isset,menu.js;....)<br>
><br>
> Why cant I run filestore on this? I need to capture the entire file that<br>
> the sig fired on, but suri says something about conflicting keywords....<br>
><br>
> Thanks!<br>
<br>
<br>
</div></div><span class="m_-4845697131967972267HOEnZb"><font color="#888888">--<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ITS Security Team<br>
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>
<br>
</font></span></blockquote></div><br></div></div></div></div>