[Oisf-devel] file extraction -- Re: [COMMIT] OISF branch, master, updated. a556338936ad3cd2b0379a6985fb62084368d99e
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Nov 29 17:20:26 UTC 2011
On 29/11/11 16:54, Victor Julien wrote:
> From my blog:
> http://www.inliniac.net/blog/2011/11/29/file-extraction-in-suricata.html
>
> File extraction in Suricata
>
> Today I pushed out a new feature in Suricata I’m very excited about. It
> has been long in the making and with over 6000 new lines of code it’s a
> significant effort. It’s available in the current git master. I’d
> consider it alpha quality, so handle with care.
This is great :)
> Finally there is the filestore keyword. It is the simplest of all: if
> the rule matches, the files will be written to disk.
I've been trying this with a few pcaps. However, I've found if I've
added "filestore" to some rules, it seems to write files even when they
don't match.
I've got a couple of examples of truncated files as well, even with
libhtp/default-config/response-body-limit: 0
stream/reassembly/depth: 0
though it's possible, I suppose, that the pcaps are broken.
In practice, I think limits of 1MB (it's very rare to see a malicious
binary bigger than this) or perhaps 10MB should be enough for most
cases. Is it possible to have a time limit as well (similar to the
streamdb Martin was talking about)?
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list