[Oisf-users] file extraction didn't work on Ubuntu 12.04/Suri-2.0

Shawn citypw at gmail.com
Mon Mar 31 06:26:03 UTC 2014


hey Peter,

On Mon, Mar 31, 2014 at 2:24 AM, Peter Manev <petermanev at gmail.com> wrote:
>
> Could you please do the following:
>
> apt-get install libnss3-dev libnspr4-dev libjansson4 libjansson-dev
>
> recompile and add to the config line like so:
>
> ./configure --with-libnss-libraries=/usr/lib
> --with-libnss-includes=/usr/include/nss/
> --with-libnspr-libraries=/usr/lib
> --with-libnspr-includes=/usr/include/nspr
> ... plus anything else if you add to it
>
Ok, here my steps:
./configure --enable-nfqueue --enable-gccprotect
--prefix=/usr/local/suricata --with-libnss-libraries=/usr/lib
--with-libnss-includes=/usr/include/nss/
--with-libnspr-libraries=/usr/lib
--with-libnspr-includes=/usr/include/nspr --localstatedir=/var

make && sudo make install-full

 ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off
ntuple-filters: off
receive-hashing: off

And, I only enabled four rules:
# Alert on files with jpg or bmp extensions
alert http any any -> any any (msg:"FILEEXT JPG file claimed";
fileext:"jpg"; sid:1; rev:1;)
alert http any any -> any any (msg:"FILEEXT BMP file claimed";
fileext:"bmp"; sid:3; rev:1;)

# Store all files with jpg or pdf extension.
alert http any any -> any any (msg:"FILESTORE jpg";
flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
alert http any any -> any any (msg:"FILESTORE pdf";
flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)


/usr/local/suricata/bin/suricata -c
/usr/local/suricata/etc/suricata//suricata.yaml -i eth0
31/3/2014 -- 14:18:14 - <Notice> - This is Suricata version 2.0 RELEASE
31/3/2014 -- 14:18:19 - <Notice> - all 13 packet processing threads, 3
management threads initialized, engine started.


Then, I downloaded some jpg files from some websites. Suri only gave
us "alert" info( and the directory files is still empty), like:
-------------------------------------------------------------------
eve.json:{"timestamp":"2014-03-31T14:22:57.348688","event_type":"alert","src_ip":"117.34.91.60","src_port":80,"dest_ip":"147.2.207.35","dest_port":53774,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"FILEEXT
JPG file claimed","category":"","severity":3}}
fast.log:03/31/2014-14:18:28.554889  [**] [1:1:1] FILEEXT JPG file
claimed [**] [Classification: (null)] [Priority: 3] {TCP}
60.55.49.194:80 -> 147.2.207.35:42400
-------------------------------------------------------------------

>
> Run the tests again and please let us know ....
>
> P.S
> Do you have only one Suricata binary installed?
>
yes, I only have one Suri binary on my machine.

>
> --
> Regards,
> Peter Manev



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/x-yaml
Size: 49182 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140331/f06b9346/attachment-0002.bin>


More information about the Oisf-users mailing list