[Oisf-devel] file extraction -- Re: [COMMIT] OISF branch, master, updated. a556338936ad3cd2b0379a6985fb62084368d99e

[Chris Wakelin]

On 29/11/11 16:54, Victor Julien wrote:
> From my blog:
> http://www.inliniac.net/blog/2011/11/29/file-extraction-in-suricata.html
> 
> File extraction in Suricata
> 
> Today I pushed out a new feature in Suricata I’m very excited about. It
> has been long in the making and with over 6000 new lines of code it’s a
> significant effort. It’s available in the current git master. I’d
> consider it alpha quality, so handle with care.

This is great :)

> Finally there is the filestore keyword. It is the simplest of all: if
> the rule matches, the files will be written to disk.

I've been trying this with a few pcaps. However, I've found if I've
added "filestore" to some rules, it seems to write files even when they
don't match.

I've got a couple of examples of truncated files as well, even with

libhtp/default-config/response-body-limit: 0
stream/reassembly/depth: 0

though it's possible, I suppose, that the pcaps are broken.

In practice, I think limits of 1MB (it's very rare to see a malicious
binary bigger than this) or perhaps 10MB should be enough for most
cases. Is it possible to have a time limit as well (similar to the
streamdb Martin was talking about)?

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094