[Oisf-users] STMP Filecarving

Victor Julien lists at inliniac.net
Mon Nov 3 08:09:25 UTC 2014


On 11/03/2014 09:04 AM, Andreas Moe wrote:
> Yes i did a clean install with install-full (then added my own rule). I
> have seen the output of the STMP event_types in eve logs, just not
> getting the carving working.

Just like with HTTP file carving, it heavily depends on correct stream
reassembly. So check your checksums, drops, memcaps and all.

Also, obviously starttls sessions won't work. Sessions that use BDAT
instead of DATA commands are also unsupported at this time.

Cheers,
Victor

> 2014-11-03 9:01 GMT+01:00 Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>>:
> 
>     On 11/03/2014 08:48 AM, Andreas Moe wrote:
>     > Hi,
>     >
>     > With the new pull request adding STMP carving (#1195), ive been
>     testing
>     > this abit. But, i cant seem to be able to carve any files. Im betting
>     > the issue is my rule writing skills. Any one have any tips?
>     >
>     > alert smtp any any -> any any (msg:"TOTAL CAPTURE!"; filestore; sid:1;
>     > rev:1;)
>     >
> 
>     Have you updated your yaml to include:
> 
>     app-layer:
>       protocols:
> 
>         smtp:
>           enabled: yes
>           # Configure SMTP-MIME Decoder
>           mime:
>             # Decode MIME messages from SMTP transactions
>             # (may be resource intensive)
>             # This field supercedes all others because it turns the entire
>             # process on or off
>             decode-mime: yes
> 
>             # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
>             decode-base64: yes
>             decode-quoted-printable: yes
> 
>             # Maximum bytes per header data value stored in the data
>     structure
>             # (default is 2000)
>             header-value-depth: 2000
> 
>             # Extract URLs and save in state data structure
>             extract-urls: no
> 
>     The SMTP file extraction depends on the 'decode-mime' setting.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Training now available: http://suricata-ids.org/training/
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list