[Oisf-users] File carving techniques with suricata

Peter Manev petermanev at gmail.com
Tue Feb 19 11:11:41 UTC 2013


I would suggest using "filestore" on the office/pdf file rules ..... then
probably a script that just feeds the files form the /var/log/files dir to
clamav ?


On Tue, Feb 19, 2013 at 10:30 AM, C. L. Martinez <carlopmart at gmail.com>wrote:

> Hi all,
>  I would like to deploy some type of file carving technique (automated
> or not) in my actual infrastructure (three suricata sensors with full
> pcap traffic captured). In this first stage, I am only interested in
> office (word and excel files) and pdf files (and only that comes via
> http requests) and sends them to a clamav process or analyze using
> cuckoo sandbox.
>  I see somethig like this in
> https://home.regit.org/2012/10/defend-your-network-from-word/, but my
> sensors are in IDS mode.
>  Somebody have tried something like this?? Any tip or example??
>  Thanks.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130219/004bc949/attachment-0002.html>

More information about the Oisf-users mailing list