[Oisf-users] file extraction didn't work on Ubuntu 12.04/Suri-2.0

Peter Manev petermanev at gmail.com
Mon Mar 31 06:37:39 UTC 2014 

On Mon, Mar 31, 2014 at 8:26 AM, Shawn <citypw at gmail.com> wrote:
> hey Peter,
>
> On Mon, Mar 31, 2014 at 2:24 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> Could you please do the following:
>>
>> apt-get install libnss3-dev libnspr4-dev libjansson4 libjansson-dev
>>
>> recompile and add to the config line like so:
>>
>> ./configure --with-libnss-libraries=/usr/lib
>> --with-libnss-includes=/usr/include/nss/
>> --with-libnspr-libraries=/usr/lib
>> --with-libnspr-includes=/usr/include/nspr
>> ... plus anything else if you add to it
>>
> Ok, here my steps:
> ./configure --enable-nfqueue --enable-gccprotect
> --prefix=/usr/local/suricata --with-libnss-libraries=/usr/lib
> --with-libnss-includes=/usr/include/nss/
> --with-libnspr-libraries=/usr/lib
> --with-libnspr-includes=/usr/include/nspr --localstatedir=/var
>
> make && sudo make install-full
>
>  ethtool -k eth0
> Offload parameters for eth0:
> rx-checksumming: off
> tx-checksumming: off
> scatter-gather: off
> tcp-segmentation-offload: off
> udp-fragmentation-offload: off
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off
> rx-vlan-offload: off
> tx-vlan-offload: off
> ntuple-filters: off
> receive-hashing: off
>
> And, I only enabled four rules:
> # Alert on files with jpg or bmp extensions
> alert http any any -> any any (msg:"FILEEXT JPG file claimed";
> fileext:"jpg"; sid:1; rev:1;)
> alert http any any -> any any (msg:"FILEEXT BMP file claimed";
> fileext:"bmp"; sid:3; rev:1;)
>
> # Store all files with jpg or pdf extension.
> alert http any any -> any any (msg:"FILESTORE jpg";
> flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;)
> alert http any any -> any any (msg:"FILESTORE pdf";
> flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
>
>
> /usr/local/suricata/bin/suricata -c
> /usr/local/suricata/etc/suricata//suricata.yaml -i eth0
> 31/3/2014 -- 14:18:14 - <Notice> - This is Suricata version 2.0 RELEASE
> 31/3/2014 -- 14:18:19 - <Notice> - all 13 packet processing threads, 3
> management threads initialized, engine started.
>
>
> Then, I downloaded some jpg files from some websites. Suri only gave
> us "alert" info( and the directory files is still empty), like:
> -------------------------------------------------------------------
> eve.json:{"timestamp":"2014-03-31T14:22:57.348688","event_type":"alert","src_ip":"117.34.91.60","src_port":80,"dest_ip":"147.2.207.35","dest_port":53774,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"FILEEXT
> JPG file claimed","category":"","severity":3}}
> fast.log:03/31/2014-14:18:28.554889  [**] [1:1:1] FILEEXT JPG file
> claimed [**] [Classification: (null)] [Priority: 3] {TCP}
> 60.55.49.194:80 -> 147.2.207.35:42400
> -------------------------------------------------------------------
>
>>
>> Run the tests again and please let us know ....
>>
>> P.S
>> Do you have only one Suricata binary installed?
>>
> yes, I only have one Suri binary on my machine.
>

Can you try loading just that rule -

alert http any any -> any any (msg:"FILE store all"; filestore; sid:5; rev:5;)

and have a look at the "files" directory, what would the result be?



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list