[Oisf-users] Setting up a rule to capture all Javascript files traversing the network

Dave Florek dave.a.florek at gmail.com
Thu Aug 11 20:12:21 UTC 2016


Thanks Peter.

How can I find a list of all the libmagic types to pick out what's
Javascript matching?

On Thu, Aug 11, 2016 at 2:50 PM, Peter Manev <petermanev at gmail.com> wrote:

>
>
> > --
> > Regards,
> > Peter Manev
> > On 11 Aug 2016, at 17:12, Dave Florek <dave.a.florek at gmail.com> wrote:
> >
> > Hi,
> >
> > I'm trying to setup a rule to capture all Javascript (.js) files that
> are traversing my network. Here is the rule I created to do it. The problem
> is that it's giving me more files that are outside the .js extension and
> I'm wondering if the filemagic command has a property for javascript files
> or if there is a better way to construct the rule to capture only .js
> extension types.
> >
> >
> > alert http any any -> any any (msg:"FILEXT js";
> flow:established,to_server;filestore; sid:9; rev:1;)
>
>
> The rule above will try to store every single file it sees to disk.
>
> You should employ some additional file keywords (filemagic) in order to
> get just Java scripts. Some more info can be found here -
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-
> keywords
>
>
> >
> > Thanks in advance,
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160811/e7334751/attachment-0002.html>


More information about the Oisf-users mailing list