[Oisf-users] File carving techniques with suricata

Tue Feb 19 12:04:01 UTC 2013

Ok, I see how can I do in suricata's wiki. But one question: somebody
has used file_processor in contrib directory?? Any howto about
installing??

On Tue, Feb 19, 2013 at 11:31 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> Perfect!!. Do you mean to use ET-files.rules to accomplish this?? In
> this file, appears:
>
> #alert http any any -> any any (msg:"FILEEXT JPG file claimed";
> fileext:"jpg"; sid:1; rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC jpg(1)";
> flow:established,to_server; filemagic:"JPEG image data"; filestore;
> sid:10; rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC jpg(2)";
> flow:established,to_server; filemagic:"JFIF"; filestore; sid:11;
> rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC short";
> flow:established,to_server; filemagic:"very short file (no magic)";
> filestore; sid:12; rev:1;)
> #alert http any any -> any any (msg:"FILE store all"; filestore;
> noalert; sid:15; rev:1;)
> #alert http any any -> any any (msg:"FILE magic"; filemagic:"JFIF";
> filestore; noalert; sid:16; rev:1;)
> #alert http any any -> any any (msg:"FILE magic"; filemagic:"PNG";
> filestore; noalert; sid:17; rev:1;)
> #alert http any any -> any any (msg:"FILE magic -- windows";
> flow:established,to_client; filemagic:"executable for MS Windows";
> filestore; sid:18; rev:1;)
> #alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel)
> (1)"; filemagic:"PNG image data, 1 x 1,"; sid:19; rev:1;)
> #alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel)
> (2)"; filemagic:"PNG image data, 1 x 1|00|"; sid:20; rev:1;)
> #alert http any any -> any any (msg:"FILE tracking GIF (1x1 pixel)";
> filemagic:"GIF image data, version 89a, 1 x 1|00|"; sid:21; rev:1;)
> #alert http any any -> any any (msg:"FILE pdf claimed, but not pdf";
> flow:established,to_client; fileext:"pdf"; filemagic:!"PDF document";
> filestore; sid:22; rev:1;)
> #alert http any any -> any any (msg:"FILE magic"; filemagic:"GIF";
> filestore; noalert; sid:23; rev:2;)
> #alert http any any -> any any (msg:"FILEEXT BMP file claimed";
> fileext:"bmp"; sid:3; rev:1;)
> #alert http any any -> any any (msg:"FILESTORE jpg";
> flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
> #alert http any any -> any any (msg:"FILESTORE pdf";
> flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC pdf";
> flow:established,to_server; filemagic:"PDF document"; filestore;
> sid:9; rev:1;)
>
> But, where suricata stores this type of file when these rules are enabled??
>
>
> On Tue, Feb 19, 2013 at 11:11 AM, Peter Manev <petermanev at gmail.com> wrote:
>> Hi,
>>
>> I would suggest using "filestore" on the office/pdf file rules ..... then
>> probably a script that just feeds the files form the /var/log/files dir to
>> clamav ?
>>
>> thanks
>>
>> On Tue, Feb 19, 2013 at 10:30 AM, C. L. Martinez <carlopmart at gmail.com>
>> wrote:
>>>
>>> Hi all,
>>>
>>>  I would like to deploy some type of file carving technique (automated
>>> or not) in my actual infrastructure (three suricata sensors with full
>>> pcap traffic captured). In this first stage, I am only interested in
>>> office (word and excel files) and pdf files (and only that comes via
>>> http requests) and sends them to a clamav process or analyze using
>>> cuckoo sandbox.
>>>
>>>  I see somethig like this in
>>> https://home.regit.org/2012/10/defend-your-network-from-word/, but my
>>> sensors are in IDS mode.
>>>
>>>  Somebody have tried something like this?? Any tip or example??
>>>
>>>  Thanks.
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>
>>
>>
>>
>> --
>> Regards,
>> Peter Manev