[Oisf-users] File carving techniques with suricata

Peter Manev petermanev at gmail.com
Tue Feb 19 12:19:31 UTC 2013 

yes...
but ot all of the rules (i doubt you need jpeg and png fies)..

alert http any any -> any any (msg:"FILEMAGIC pdf";
flow:established,to_server; filemagic:"PDF document"; filestore;
sid:9; rev:1;)

there is you pdf  :) rule

but in general you should follow the guide here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5

thanks

On Tue, Feb 19, 2013 at 12:31 PM, C. L. Martinez <carlopmart at gmail.com>wrote:

> Perfect!!. Do you mean to use ET-files.rules to accomplish this?? In
> this file, appears:
>
> #alert http any any -> any any (msg:"FILEEXT JPG file claimed";
> fileext:"jpg"; sid:1; rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC jpg(1)";
> flow:established,to_server; filemagic:"JPEG image data"; filestore;
> sid:10; rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC jpg(2)";
> flow:established,to_server; filemagic:"JFIF"; filestore; sid:11;
> rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC short";
> flow:established,to_server; filemagic:"very short file (no magic)";
> filestore; sid:12; rev:1;)
> #alert http any any -> any any (msg:"FILE store all"; filestore;
> noalert; sid:15; rev:1;)
> #alert http any any -> any any (msg:"FILE magic"; filemagic:"JFIF";
> filestore; noalert; sid:16; rev:1;)
> #alert http any any -> any any (msg:"FILE magic"; filemagic:"PNG";
> filestore; noalert; sid:17; rev:1;)
> #alert http any any -> any any (msg:"FILE magic -- windows";
> flow:established,to_client; filemagic:"executable for MS Windows";
> filestore; sid:18; rev:1;)
> #alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel)
> (1)"; filemagic:"PNG image data, 1 x 1,"; sid:19; rev:1;)
> #alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel)
> (2)"; filemagic:"PNG image data, 1 x 1|00|"; sid:20; rev:1;)
> #alert http any any -> any any (msg:"FILE tracking GIF (1x1 pixel)";
> filemagic:"GIF image data, version 89a, 1 x 1|00|"; sid:21; rev:1;)
> #alert http any any -> any any (msg:"FILE pdf claimed, but not pdf";
> flow:established,to_client; fileext:"pdf"; filemagic:!"PDF document";
> filestore; sid:22; rev:1;)
> #alert http any any -> any any (msg:"FILE magic"; filemagic:"GIF";
> filestore; noalert; sid:23; rev:2;)
> #alert http any any -> any any (msg:"FILEEXT BMP file claimed";
> fileext:"bmp"; sid:3; rev:1;)
> #alert http any any -> any any (msg:"FILESTORE jpg";
> flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
> #alert http any any -> any any (msg:"FILESTORE pdf";
> flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
> #alert http any any -> any any (msg:"FILEMAGIC pdf";
> flow:established,to_server; filemagic:"PDF document"; filestore;
> sid:9; rev:1;)
>
> But, where suricata stores this type of file when these rules are enabled??
>
>
> On Tue, Feb 19, 2013 at 11:11 AM, Peter Manev <petermanev at gmail.com>
> wrote:
> > Hi,
> >
> > I would suggest using "filestore" on the office/pdf file rules ..... then
> > probably a script that just feeds the files form the /var/log/files dir
> to
> > clamav ?
> >
> > thanks
> >
> > On Tue, Feb 19, 2013 at 10:30 AM, C. L. Martinez <carlopmart at gmail.com>
> > wrote:
> >>
> >> Hi all,
> >>
> >>  I would like to deploy some type of file carving technique (automated
> >> or not) in my actual infrastructure (three suricata sensors with full
> >> pcap traffic captured). In this first stage, I am only interested in
> >> office (word and excel files) and pdf files (and only that comes via
> >> http requests) and sends them to a clamav process or analyze using
> >> cuckoo sandbox.
> >>
> >>  I see somethig like this in
> >> https://home.regit.org/2012/10/defend-your-network-from-word/, but my
> >> sensors are in IDS mode.
> >>
> >>  Somebody have tried something like this?? Any tip or example??
> >>
> >>  Thanks.
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130219/57f48771/attachment-0002.html>

More information about the Oisf-users mailing list