[Oisf-users] File carving techniques with suricata

Kevin Ross kevross33 at googlemail.com
Tue Feb 19 21:22:54 UTC 2013


it is excellent and with some scripting you can integrate it with cuckoobox
which if you filter out suspicious files you can analyze
http://www.cuckoosandbox.org/about.html. Although to get accurate carving
sometimes it can be best to redownload the file based on information in the
meta file if you can determine it to be suspicious for you (suspicious
attributes about the file, geolocation, attributes etc).


On 19 February 2013 09:30, C. L. Martinez <carlopmart at gmail.com> wrote:

> Hi all,
>  I would like to deploy some type of file carving technique (automated
> or not) in my actual infrastructure (three suricata sensors with full
> pcap traffic captured). In this first stage, I am only interested in
> office (word and excel files) and pdf files (and only that comes via
> http requests) and sends them to a clamav process or analyze using
> cuckoo sandbox.
>  I see somethig like this in
> https://home.regit.org/2012/10/defend-your-network-from-word/, but my
> sensors are in IDS mode.
>  Somebody have tried something like this?? Any tip or example??
>  Thanks.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130219/d6a50699/attachment-0002.html>

More information about the Oisf-users mailing list