[Oisf-users] STMP Filecarving
Victor Julien
lists at inliniac.net
Mon Nov 3 08:01:30 UTC 2014
On 11/03/2014 08:48 AM, Andreas Moe wrote:
> Hi,
>
> With the new pull request adding STMP carving (#1195), ive been testing
> this abit. But, i cant seem to be able to carve any files. Im betting
> the issue is my rule writing skills. Any one have any tips?
>
> alert smtp any any -> any any (msg:"TOTAL CAPTURE!"; filestore; sid:1;
> rev:1;)
>
Have you updated your yaml to include:
app-layer:
protocols:
smtp:
enabled: yes
# Configure SMTP-MIME Decoder
mime:
# Decode MIME messages from SMTP transactions
# (may be resource intensive)
# This field supercedes all others because it turns the entire
# process on or off
decode-mime: yes
# Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
decode-base64: yes
decode-quoted-printable: yes
# Maximum bytes per header data value stored in the data structure
# (default is 2000)
header-value-depth: 2000
# Extract URLs and save in state data structure
extract-urls: no
The SMTP file extraction depends on the 'decode-mime' setting.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list