[Oisf-users] file extraction didn't work on Ubuntu 12.04/Suri-2.0

[Shawn]

I only enabled these rules in files.rules:
# Alert on files with jpg or bmp extensions
alert http any any -> any any (msg:"FILEEXT JPG file claimed";
fileext:"jpg"; sid:1; rev:1;)
alert http any any -> any any (msg:"FILEEXT BMP file claimed";
fileext:"bmp"; sid:3; rev:1;)

# Store all files with jpg or pdf extension.
alert http any any -> any any (msg:"FILESTORE jpg";
flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
alert http any any -> any any (msg:"FILESTORE pdf";
flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
---------------------------------------------------------------------------

#under /var/log/suricata:
grep FILEEXT *
fast.log:03/30/2014-02:45:07.661134  [**] [1:1:1] FILEEXT JPG file
claimed [**] [Classification: (null)] [Priority: 3] {TCP}
117.34.91.60:80 -> 192.168.1.102:48012
fast.log:03/30/2014-02:45:07.661134  [**] [1:1:1] FILEEXT JPG file
claimed [**] [Classification: (null)] [Priority: 3] {TCP}
117.34.91.60:80 -> 192.168.1.102:48012
fast.log:03/30/2014-02:45:08.283707  [**] [1:1:1] FILEEXT JPG file
claimed [**] [Classification: (null)] [Priority: 3] {TCP}
117.34.91.60:80 -> 192.168.1.102:48012

It seems the 1st twos works! I'm not sure if some rules are possibly goes wrong.

On Sat, Mar 29, 2014 at 9:48 PM, Peter Manev <petermanev at gmail.com> wrote:
>
> Please let us know how it goes.
>
>
>>
>> --
>> GNU powered it...
>> GPL protect it...
>> God blessing it...
>>
>> regards
>> Shawn
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>
>
> --
> Regards,
> Peter Manev



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn