[Oisf-users] Suricata File Carving - Malware Detection

Victor Julien victor at inliniac.net
Thu Apr 14 08:10:56 UTC 2011

On 04/11/2011 01:15 PM, Kevin Ross wrote:
> I am definitely not suggesting this should be done on the wire or by the
> main Suricata processes. What I mean once suricata drops it to disk maybe it
> could have a process to analyse and feed the alerts back into suricata to
> have it output an alert in unified2. Sure once suricata has file_extract
> options creating your own script to run things on the file is easy but
> suricata could do it straight out (or at least have it pass off). This way
> those users who are not sure of the actual benefits or how to analyse files
> on disk to detect malware and stuff don't have to think about it. Examples
> of what could be done:

So you're suggesting a way to have Suricata somehow accept "alerts" from
3rd party tools that it then can write to unified2?

Wouldn't it make more sense to have that tool write it's own unified2 file?

> - Scan file with clamav
> - Check for suspicious IATs such as ones checking for debuggers or other
> stuff and the ability to possible threshold against a score. That way
> suricata rather then generate an alert for every executable, suspicious
> executables can be alerted on only (which with the right tuning could even
> help zero in on unknown malware samples).
> - Alerting on file type mismatches i.e server claims to send an image and
> yet suricata is carving out an exe from the stream or carving flash out of
> an excel file like the recent vulnerability (I guess this one could possibly
> be handed by suricata itself if a user wanted such alerts).

This is actually a planned feature. It's being developed for a 3rd party
contract, but as soon that is completed the code will flow into Suricata.

> My point is while making up your own scripts to do stuff (run clamav,
> jsunpack etc on files) it is nice to have it handle it by default (if you
> wanted it) and means more users who are learning or unsure how to take
> advantage of file carving or why you would want to could benefit from it.

I see the use for this, I'm just still not convinced Suricata should do
much more than drop the file to disk.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list