[Oisf-devel] Extracting file from stream

Al MailingList alpal.mailinglist at gmail.com
Sun Jan 24 19:50:16 UTC 2010


I would have thought also that by doing it in an engine like suricata
instead of tcpxtract is that you can better handle things like gzip,
chunked encoding, etc, since the engine is probably already handling
all these things?

Al


On Thu, Jan 21, 2010 at 8:02 AM, Yao-Min Chen <Yaomin.Chen at sun.com> wrote:
> One reason for doing full capture and file extraction is to detect malware
> files in transit, so we can either block the files or immediately report the
> host that receives such a file.  The latter can be used as a trigger for
> first responses.
>
> If Suricata can do this in memory instead of handing off the pcap files to
> external tools there is efficiency and response time to be gained.
>
> Yaomin
>
> On 01/20/10 23:38, Victor Julien wrote:
>
> The ISC post lists quite a few tools that already support extracting
> files from pcaps. Is there something new and unsupported by those tools
> you are looking for in Suricata?
>
> Will Metcalf wrote:
>
>
> Jerry,
>
> We will keep this in mind, although I think stuff like this may belong
> in post-analysis.  That being said does anybody have an interest in
> flow/full traffic capture as an option?
>
> Regards,
>
> Will
>
> On Wed, Jan 20, 2010 at 4:22 PM, Jerry <jerry at cybercave.cz
> <mailto:jerry at cybercave.cz>> wrote:
>
>     Hi development team/list,
>     I have a question regarding features development. Are you planning to
>     include extraction files from packet stream into Suricata?
>
>     It would be nice to have something that covers this issue:
>     http://isc.sans.org/diary.html?storyid=6961
>
>     Thank you very much in advance
>
>     Jerry
>
>     --
>     Defending network against intrusion is like trying to keep a squid
>     inside a mesh bag. Question is, who will give up first :)
>
>     _______________________________________________
>     Oisf-devel mailing list
>     Oisf-devel at openinfosecfoundation.org
>     <mailto:Oisf-devel at openinfosecfoundation.org>
>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>



More information about the Oisf-devel mailing list