[Oisf-users] file extraction didn't work on Ubuntu 12.04/Suri-2.0

Shawn citypw at gmail.com
Mon Mar 31 06:26:03 UTC 2014

hey Peter,

On Mon, Mar 31, 2014 at 2:24 AM, Peter Manev <petermanev at gmail.com> wrote:
> Could you please do the following:
> apt-get install libnss3-dev libnspr4-dev libjansson4 libjansson-dev
> recompile and add to the config line like so:
> ./configure --with-libnss-libraries=/usr/lib
> --with-libnss-includes=/usr/include/nss/
> --with-libnspr-libraries=/usr/lib
> --with-libnspr-includes=/usr/include/nspr
> ... plus anything else if you add to it
Ok, here my steps:
./configure --enable-nfqueue --enable-gccprotect
--prefix=/usr/local/suricata --with-libnss-libraries=/usr/lib
--with-libnspr-includes=/usr/include/nspr --localstatedir=/var

make && sudo make install-full

 ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off
ntuple-filters: off
receive-hashing: off

And, I only enabled four rules:
# Alert on files with jpg or bmp extensions
alert http any any -> any any (msg:"FILEEXT JPG file claimed";
fileext:"jpg"; sid:1; rev:1;)
alert http any any -> any any (msg:"FILEEXT BMP file claimed";
fileext:"bmp"; sid:3; rev:1;)

# Store all files with jpg or pdf extension.
alert http any any -> any any (msg:"FILESTORE jpg";
flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
alert http any any -> any any (msg:"FILESTORE pdf";
flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)

/usr/local/suricata/bin/suricata -c
/usr/local/suricata/etc/suricata//suricata.yaml -i eth0
31/3/2014 -- 14:18:14 - <Notice> - This is Suricata version 2.0 RELEASE
31/3/2014 -- 14:18:19 - <Notice> - all 13 packet processing threads, 3
management threads initialized, engine started.

Then, I downloaded some jpg files from some websites. Suri only gave
us "alert" info( and the directory files is still empty), like:
JPG file claimed","category":"","severity":3}}
fast.log:03/31/2014-14:18:28.554889  [**] [1:1:1] FILEEXT JPG file
claimed [**] [Classification: (null)] [Priority: 3] {TCP} ->

> Run the tests again and please let us know ....
> P.S
> Do you have only one Suricata binary installed?
yes, I only have one Suri binary on my machine.

> --
> Regards,
> Peter Manev

GNU powered it...
GPL protect it...
God blessing it...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/x-yaml
Size: 49182 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140331/f06b9346/attachment-0002.bin>

More information about the Oisf-users mailing list