[Oisf-users] STMP Filecarving

Andreas Moe moe.andreas at gmail.com
Mon Nov 3 08:04:57 UTC 2014 

Yes i did a clean install with install-full (then added my own rule). I
have seen the output of the STMP event_types in eve logs, just not getting
the carving working.

2014-11-03 9:01 GMT+01:00 Victor Julien <lists at inliniac.net>:

> On 11/03/2014 08:48 AM, Andreas Moe wrote:
> > Hi,
> >
> > With the new pull request adding STMP carving (#1195), ive been testing
> > this abit. But, i cant seem to be able to carve any files. Im betting
> > the issue is my rule writing skills. Any one have any tips?
> >
> > alert smtp any any -> any any (msg:"TOTAL CAPTURE!"; filestore; sid:1;
> > rev:1;)
> >
>
> Have you updated your yaml to include:
>
> app-layer:
>   protocols:
>
>     smtp:
>       enabled: yes
>       # Configure SMTP-MIME Decoder
>       mime:
>         # Decode MIME messages from SMTP transactions
>         # (may be resource intensive)
>         # This field supercedes all others because it turns the entire
>         # process on or off
>         decode-mime: yes
>
>         # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
>         decode-base64: yes
>         decode-quoted-printable: yes
>
>         # Maximum bytes per header data value stored in the data structure
>         # (default is 2000)
>         header-value-depth: 2000
>
>         # Extract URLs and save in state data structure
>         extract-urls: no
>
> The SMTP file extraction depends on the 'decode-mime' setting.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141103/2de43f6f/attachment-0002.html>

More information about the Oisf-users mailing list