[Oisf-users] File carving techniques with suricata

C. L. Martinez carlopmart at gmail.com
Wed Feb 20 06:42:17 UTC 2013


Many thanks sirs for your input. But, somebody had tried
file_processor under contrib dir?? Works for production systems??

On Tue, Feb 19, 2013 at 9:22 PM, Kevin Ross <kevross33 at googlemail.com> wrote:
> Hi,
>
> it is excellent and with some scripting you can integrate it with cuckoobox
> which if you filter out suspicious files you can analyze
> http://www.cuckoosandbox.org/about.html. Although to get accurate carving
> sometimes it can be best to redownload the file based on information in the
> meta file if you can determine it to be suspicious for you (suspicious
> attributes about the file, geolocation, attributes etc).
>
> Regards,
> Kevin
>
> On 19 February 2013 09:30, C. L. Martinez <carlopmart at gmail.com> wrote:
>>
>> Hi all,
>>
>>  I would like to deploy some type of file carving technique (automated
>> or not) in my actual infrastructure (three suricata sensors with full
>> pcap traffic captured). In this first stage, I am only interested in
>> office (word and excel files) and pdf files (and only that comes via
>> http requests) and sends them to a clamav process or analyze using
>> cuckoo sandbox.
>>
>>  I see somethig like this in
>> https://home.regit.org/2012/10/defend-your-network-from-word/, but my
>> sensors are in IDS mode.
>>
>>  Somebody have tried something like this?? Any tip or example??
>>
>>  Thanks.
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>



More information about the Oisf-users mailing list