[Oisf-devel] Extracting file from stream

Yao-Min Chen Yaomin.Chen at Sun.COM
Tue Jan 26 09:11:37 UTC 2010


On 01/24/10 11:50, Al MailingList wrote:
> I would have thought also that by doing it in an engine like suricata
> instead of tcpxtract is that you can better handle things like gzip,
> chunked encoding, etc, since the engine is probably already handling
> all these things?
>
> Al
>
>   
I don't know enough engine details but I think the inline gzip and 
chunked decoding will be quite handy to detect attacks embedded in HTTP 
transport.

Yaomin


> On Thu, Jan 21, 2010 at 8:02 AM, Yao-Min Chen <Yaomin.Chen at sun.com> wrote:
>   
>> One reason for doing full capture and file extraction is to detect malware
>> files in transit, so we can either block the files or immediately report the
>> host that receives such a file.  The latter can be used as a trigger for
>> first responses.
>>
>> If Suricata can do this in memory instead of handing off the pcap files to
>> external tools there is efficiency and response time to be gained.
>>
>> Yaomin
>>
>> On 01/20/10 23:38, Victor Julien wrote:
>>
>> The ISC post lists quite a few tools that already support extracting
>> files from pcaps. Is there something new and unsupported by those tools
>> you are looking for in Suricata?
>>
>> Will Metcalf wrote:
>>
>>
>> Jerry,
>>
>> We will keep this in mind, although I think stuff like this may belong
>> in post-analysis.  That being said does anybody have an interest in
>> flow/full traffic capture as an option?
>>
>> Regards,
>>
>> Will
>>
>> On Wed, Jan 20, 2010 at 4:22 PM, Jerry <jerry at cybercave.cz
>> <mailto:jerry at cybercave.cz>> wrote:
>>
>>     Hi development team/list,
>>     I have a question regarding features development. Are you planning to
>>     include extraction files from packet stream into Suricata?
>>
>>     It would be nice to have something that covers this issue:
>>     http://isc.sans.org/diary.html?storyid=6961
>>
>>     Thank you very much in advance
>>
>>     Jerry
>>
>>     --
>>     Defending network against intrusion is like trying to keep a squid
>>     inside a mesh bag. Question is, who will give up first :)
>>
>>     _______________________________________________
>>     Oisf-devel mailing list
>>     Oisf-devel at openinfosecfoundation.org
>>     <mailto:Oisf-devel at openinfosecfoundation.org>
>>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>     
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100126/d0be3876/attachment-0002.html>


More information about the Oisf-devel mailing list