[Oisf-devel] how to setup the suricata for extracting the files from ftp protocol and save into disk

zhangqs zhangqs at act.buaa.edu.cn
Wed Mar 21 09:41:30 UTC 2018 

Thanks Wu Xiuheng,

I have setup the force-filestore to yes in suricata.yaml, but it still 
not work. After diving into the source code,  I found the real reason is 
caused by dyn_port == 0.  And I continue to check why the dyn_port is 0, 
and I found the case FTP_COMMON_PORT in method FTPParseRequest doesn't 
handler the PORT command,  please see my PR: 
https://github.com/OISF/suricata/pull/3302.

Best regards,

Kris


在 2018年03月21日 11:17, Xiuheng Wu 写道:
> Hi,
>
> > alerthttpanyany->anyany(msg:"FILE store all";filestore;sid:1;rev:1;)
> Since you specified `http` as protocol keyword, ftp traffic would not 
> match. Try `ftp` or just `any`.
> You can also try to set ‘force-filestore: yes’ in suricata.yaml to 
> test the extraction without a rule file.
>
> Regards,
> Wu Xiuheng
>
>
> 在 2018年3月19日,17:34,zhangqs <zhangqs at act.buaa.edu.cn 
> <mailto:zhangqs at act.buaa.edu.cn>> 写道:
>
>> Hi guys,
>>
>> I have been struggling a few days to the function file extraction,  
>> the reference doc is: 
>> http://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html?highlight=ftp. 
>> The protocol that I want to use is FTP.
>> 1) Suricata version is latest that cloned from github.
>> 2) I setup the suricata.yaml: file-store.enabled: yes
>> 3) I create a rule file hello.rules, its content is:
>> alert  http  any  any  ->  any  any  (msg:"FILE store all";  filestore;  sid:1;  rev:1;)
>> 4) ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
>> 5) make && make install
>>
>> My testing pcap is in the attachment. but I cannot find the 
>> file(Music.mp3) was extracted and saved into the disk 
>> (/var/log/suricata/files/).
>> Has anybody ever been successful about extraction FTP file into disk?
>>
>> And then I read the code, and cannot find which code is responsible 
>> for saving file into the disk?
>> I guess the process is:
>> FTPDataParseRequest-->FTPDataParse-->FileOpenFile|FileAppendData-->StreamingBuffer
>> but the data is still in memory, where is save the StreamingBuffer 
>> into the disk?
>>
>> Any advice is welcome.
>> Thanks a lot,
>> Kris
>>
>> <ftp.pcap>
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org 
>> <mailto:oisf-devel at openinfosecfoundation.org>
>> Site: http://suricata-ids.org | Participate: 
>> http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180321/8bab99a6/attachment.html>

More information about the Oisf-devel mailing list