[Oisf-devel] how to setup the suricata for extracting the files from ftp protocol and save into disk

Xiuheng Wu metzengerstein2 at gmail.com
Wed Mar 21 03:17:44 UTC 2018


> alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
Since you specified `http` as protocol keyword, ftp traffic would not match. Try `ftp` or just `any`.
You can also try to set ‘force-filestore: yes’ in suricata.yaml to test the extraction without a rule file.

Wu Xiuheng

> 在 2018年3月19日,17:34,zhangqs <zhangqs at act.buaa.edu.cn> 写道:
> Hi guys,
> I have been struggling a few days to the function file extraction,  the reference doc is: http://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html?highlight=ftp. The protocol that I want to use is FTP. 
> 1) Suricata version is latest that cloned from github.
> 2) I setup the suricata.yaml: file-store.enabled: yes
> 3) I create a rule file hello.rules, its content is: 
> alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
> 4) ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
> 5) make && make install 
> My testing pcap is in the attachment. but I cannot find the file(Music.mp3) was extracted and saved into the disk (/var/log/suricata/files/). 
> Has anybody ever been successful about extraction FTP file into disk?
> And then I read the code, and cannot find which code is responsible for saving file into the disk? 
> I guess the process is:
> FTPDataParseRequest-->FTPDataParse-->FileOpenFile|FileAppendData-->StreamingBuffer
> but the data is still in memory, where is save the StreamingBuffer into the disk?
> Any advice is welcome.
> Thanks a lot,
> Kris
> <ftp.pcap>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180321/e6b3a4f5/attachment.html>

More information about the Oisf-devel mailing list