[Oisf-users] file extraction didn't work on Ubuntu 12.04/Suri-2.0
Peter Manev
petermanev at gmail.com
Sun Mar 30 07:47:44 UTC 2014
On Sat, Mar 29, 2014 at 7:49 PM, Shawn <citypw at gmail.com> wrote:
> I only enabled these rules in files.rules:
> # Alert on files with jpg or bmp extensions
> alert http any any -> any any (msg:"FILEEXT JPG file claimed";
> fileext:"jpg"; sid:1; rev:1;)
> alert http any any -> any any (msg:"FILEEXT BMP file claimed";
> fileext:"bmp"; sid:3; rev:1;)
>
> # Store all files with jpg or pdf extension.
> alert http any any -> any any (msg:"FILESTORE jpg";
> flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
> alert http any any -> any any (msg:"FILESTORE pdf";
> flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
> ---------------------------------------------------------------------------
>
> #under /var/log/suricata:
> grep FILEEXT *
> fast.log:03/30/2014-02:45:07.661134 [**] [1:1:1] FILEEXT JPG file
> claimed [**] [Classification: (null)] [Priority: 3] {TCP}
> 117.34.91.60:80 -> 192.168.1.102:48012
> fast.log:03/30/2014-02:45:07.661134 [**] [1:1:1] FILEEXT JPG file
> claimed [**] [Classification: (null)] [Priority: 3] {TCP}
> 117.34.91.60:80 -> 192.168.1.102:48012
> fast.log:03/30/2014-02:45:08.283707 [**] [1:1:1] FILEEXT JPG file
> claimed [**] [Classification: (null)] [Priority: 3] {TCP}
> 117.34.91.60:80 -> 192.168.1.102:48012
>
> It seems the 1st twos works! I'm not sure if some rules are possibly goes wrong.
>
> On Sat, Mar 29, 2014 at 9:48 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> Please let us know how it goes.
>>
Can you please post the output of :
suircata --build-info
These values in your yaml -
request-body-minimal-inspect-size: 320kb
request-body-inspect-window: 409kb
response-body-minimal-inspect-size: 320kb
response-body-inspect-window: 400kb
Can you please put them back to the default values and try again?
thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list