<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hi </div><div><br data-mce-bogus="1"></div><div>I am using file extraction with Suricata version 4.0.0 RELEASE. The files are extracting with a few issues that I am not sure how to explain. I am only downloading EXE type files. The rules are below. The problem is that, although the EXE files are downloaded, there are alot of files with the Magic of "data" that are also downloaded. How can I prevent this?</div><div><br data-mce-bogus="1"></div><div><div>alert http any any -> any any (msg:"FILE magic -- DOS 1"; flow:established,to_client; filemagic:"COM executable for DOS"; filestore; sid:28; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- DOS 2"; flow:established,to_client; filemagic:"DOS executable (block device driver)"; filestore; sid:29; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- DOS 3"; flow:established,to_client; filemagic:"DOS executable (COM)"; filestore; sid:30; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- windows 2"; flow:established,to_client; filemagic:"PE32 executable (DLL) (console) Intel 80386 Mono\/.Net assembly, for MS Windows"; filestore; sid:31; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- windows 3"; flow:established,to_client; filemagic:"PE32+ executable (DLL) (console) x86-64, for MS Windows"; filestore; sid:32; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- windows 4"; flow:established,to_client; filemagic:"PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"; filestore; sid:33; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- windows 5"; flow:established,to_client; filemagic:"PE32 executable (GUI) Intel 80386, for MS Windows"; filestore; sid:34; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- windows 5"; flow:established,to_client; filemagic:"PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows"; filestore; sid:35; rev:1;)</div><div><br></div><div>alert http any any -> any any (msg:"FILE magic -- windows 6"; flow:established,to_client; filemagic:"PE32+ executable (GUI) x86-64, for MS Windows"; filestore; sid:36; rev:1;)</div><div><br></div><div><br></div><div><br></div><div>Secondly, I am not entirely sure of the purpose of the "<span style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;" data-mce-style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">max-open-files:" option as shown below. In what case would I want to have something other than default? </span></div></div><div><br></div><div><div> - file-store:</div><div> enabled: yes # set to yes to enable</div><div> log-dir: files # directory to store the files</div><div> force-magic: yes # force logging magic on all stored files</div><div> # force logging of checksums, available hash functions are md5,</div><div> # sha1 and sha256</div><div> force-hash: [md5]</div><div> force-filestore: no # force storing of all files</div><div> # override global stream-depth for sessions in which we want to</div><div> # perform file extraction. Set to 0 for unlimited.</div><div> stream-depth: 0</div><div> #waldo: file.waldo # waldo file to store the file_id across runs</div><div> # uncomment to disable meta file writing</div><div> #write-meta: no</div><div> # uncomment the following variable to define how many files can</div><div> # remain open for filestore by Suricata. Default value is 0 which</div><div> # means files get closed after each write</div><div> <span style="background-color: rgb(255, 255, 0);" data-mce-style="background-color: #ffff00;">#max-open-files: 1000</span></div><div><br data-mce-bogus="1"></div><div>Any help will be appreciated. </div></div><div><br></div><div><br data-mce-bogus="1"></div><div data-marker="__SIG_PRE__"><div><span style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;">Jeremy Grove, SSCP</span><br style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;"><span style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;">Senior Information Security Analyst</span><br style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;"><span style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;">Quadrant Information Security</span><br style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;"><br style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;"><span style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;" data-mce-style="font-family: 'Segoe UI', 'Lucida Sans', sans-serif; font-size: 14.16px;">Learn more= about our managed SIEM <span class="Object" id="OBJ_PREFIX_DWT149_com_zimbra_url" style="color: #005a95; cursor: pointer;" data-mce-style="color: #005a95; cursor: pointer;"><a href="https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22" target="_blank" style="color: #005a95; text-decoration: none; cursor: pointer;" data-mce-style="color: #005a95; text-decoration: none; cursor: pointer;">people + product</a></span></span><br><br><br></div></div></div></body></html>