[Oisf-users] Quick Question: Accurate/Full File Extraction for Submitting to Sandboxes

[Kevin Ross]

Hi,

I was wondering what people's experience is of accurately (and
automatically) extracting files from network traffic (or PCAPs) for then
automatically doing further analysis to work out if they are suspicious
before submitting to a sandbox like Cuckoobox?

My method right now for getting an accurate file really is just processing
suricata metadata files in order to redownload any interesting files which
obviously causes issues for stealth as well as not working if it is a
download location generated for one time use or is expecting certain things
to be right before allowing the download. Suricata's file extraction
generally ends up with very small parts of the original files when storing
to disk unless I am doing something wrong?

If it can't be done accurately from live network traffic is it possible to
get them from PCAPs in an accurate way suitable for at least static anlysis
and ideally so it will run on a device with a decent reliability as I do
have full packet capture although not for a huge length of time - perhaps a
day of traffic. Does anyone else have any solutions for things they have
done for this? I know it must be possible as various network malware
detection companies (Fireeye, Damballa, HBGary etc) take files from the
network although I am unsure how they accomplish this accurately to allow
for proper execution.

Thanks for any tips or thoughts.
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130106/2367c1c8/attachment.html>