[Oisf-users] Suricata File Carving - Malware Detection

Kevin Ross kevross33 at googlemail.com
Thu Apr 14 08:16:05 UTC 2011


Probably. I am not a programmer so I am unsure of the practicalities of
implementing a dream :) WIth multiple unified files would it all be able to
be processed into a single front end (i.e barnyard2 into a database for
viewing in BASE or snorby)?

On 14 April 2011 09:10, Victor Julien <victor at inliniac.net> wrote:

> On 04/11/2011 01:15 PM, Kevin Ross wrote:
> > I am definitely not suggesting this should be done on the wire or by the
> > main Suricata processes. What I mean once suricata drops it to disk maybe
> it
> > could have a process to analyse and feed the alerts back into suricata to
> > have it output an alert in unified2. Sure once suricata has file_extract
> > options creating your own script to run things on the file is easy but
> > suricata could do it straight out (or at least have it pass off). This
> way
> > those users who are not sure of the actual benefits or how to analyse
> files
> > on disk to detect malware and stuff don't have to think about it.
> Examples
> > of what could be done:
>
> So you're suggesting a way to have Suricata somehow accept "alerts" from
> 3rd party tools that it then can write to unified2?
>
> Wouldn't it make more sense to have that tool write it's own unified2 file?
>
> > - Scan file with clamav
> > - Check for suspicious IATs such as ones checking for debuggers or other
> > stuff and the ability to possible threshold against a score. That way
> > suricata rather then generate an alert for every executable, suspicious
> > executables can be alerted on only (which with the right tuning could
> even
> > help zero in on unknown malware samples).
> > - Alerting on file type mismatches i.e server claims to send an image and
> > yet suricata is carving out an exe from the stream or carving flash out
> of
> > an excel file like the recent vulnerability (I guess this one could
> possibly
> > be handed by suricata itself if a user wanted such alerts).
>
> This is actually a planned feature. It's being developed for a 3rd party
> contract, but as soon that is completed the code will flow into Suricata.
>
> > My point is while making up your own scripts to do stuff (run clamav,
> > jsunpack etc on files) it is nice to have it handle it by default (if you
> > wanted it) and means more users who are learning or unsure how to take
> > advantage of file carving or why you would want to could benefit from it.
>
> I see the use for this, I'm just still not convinced Suricata should do
> much more than drop the file to disk.
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110414/76a448fc/attachment-0002.html>


More information about the Oisf-users mailing list