[Oisf-users] File carving techniques with suricata
C. L. Martinez
carlopmart at gmail.com
Tue Feb 19 11:31:21 UTC 2013
Perfect!!. Do you mean to use ET-files.rules to accomplish this?? In
this file, appears:
#alert http any any -> any any (msg:"FILEEXT JPG file claimed";
fileext:"jpg"; sid:1; rev:1;)
#alert http any any -> any any (msg:"FILEMAGIC jpg(1)";
flow:established,to_server; filemagic:"JPEG image data"; filestore;
sid:10; rev:1;)
#alert http any any -> any any (msg:"FILEMAGIC jpg(2)";
flow:established,to_server; filemagic:"JFIF"; filestore; sid:11;
rev:1;)
#alert http any any -> any any (msg:"FILEMAGIC short";
flow:established,to_server; filemagic:"very short file (no magic)";
filestore; sid:12; rev:1;)
#alert http any any -> any any (msg:"FILE store all"; filestore;
noalert; sid:15; rev:1;)
#alert http any any -> any any (msg:"FILE magic"; filemagic:"JFIF";
filestore; noalert; sid:16; rev:1;)
#alert http any any -> any any (msg:"FILE magic"; filemagic:"PNG";
filestore; noalert; sid:17; rev:1;)
#alert http any any -> any any (msg:"FILE magic -- windows";
flow:established,to_client; filemagic:"executable for MS Windows";
filestore; sid:18; rev:1;)
#alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel)
(1)"; filemagic:"PNG image data, 1 x 1,"; sid:19; rev:1;)
#alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel)
(2)"; filemagic:"PNG image data, 1 x 1|00|"; sid:20; rev:1;)
#alert http any any -> any any (msg:"FILE tracking GIF (1x1 pixel)";
filemagic:"GIF image data, version 89a, 1 x 1|00|"; sid:21; rev:1;)
#alert http any any -> any any (msg:"FILE pdf claimed, but not pdf";
flow:established,to_client; fileext:"pdf"; filemagic:!"PDF document";
filestore; sid:22; rev:1;)
#alert http any any -> any any (msg:"FILE magic"; filemagic:"GIF";
filestore; noalert; sid:23; rev:2;)
#alert http any any -> any any (msg:"FILEEXT BMP file claimed";
fileext:"bmp"; sid:3; rev:1;)
#alert http any any -> any any (msg:"FILESTORE jpg";
flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
#alert http any any -> any any (msg:"FILESTORE pdf";
flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
#alert http any any -> any any (msg:"FILEMAGIC pdf";
flow:established,to_server; filemagic:"PDF document"; filestore;
sid:9; rev:1;)
But, where suricata stores this type of file when these rules are enabled??
On Tue, Feb 19, 2013 at 11:11 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
>
> I would suggest using "filestore" on the office/pdf file rules ..... then
> probably a script that just feeds the files form the /var/log/files dir to
> clamav ?
>
> thanks
>
> On Tue, Feb 19, 2013 at 10:30 AM, C. L. Martinez <carlopmart at gmail.com>
> wrote:
>>
>> Hi all,
>>
>> I would like to deploy some type of file carving technique (automated
>> or not) in my actual infrastructure (three suricata sensors with full
>> pcap traffic captured). In this first stage, I am only interested in
>> office (word and excel files) and pdf files (and only that comes via
>> http requests) and sends them to a clamav process or analyze using
>> cuckoo sandbox.
>>
>> I see somethig like this in
>> https://home.regit.org/2012/10/defend-your-network-from-word/, but my
>> sensors are in IDS mode.
>>
>> Somebody have tried something like this?? Any tip or example??
>>
>> Thanks.
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>
>
>
> --
> Regards,
> Peter Manev
More information about the Oisf-users
mailing list