[Oisf-users] Setting up a rule to capture all Javascript files traversing the network
Peter Manev
petermanev at gmail.com
Thu Aug 11 20:23:51 UTC 2016
> On 11 Aug 2016, at 21:12, Dave Florek <dave.a.florek at gmail.com> wrote:
>
> Thanks Peter.
>
> How can I find a list of all the libmagic types to pick out what's Javascript matching?
The most accurate will be on the system the Suricata runs - copy over or find a JavaScript file and try -
file somejavascriptfile.js
That should return the filemagic info you are after.
>
>> On Thu, Aug 11, 2016 at 2:50 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>>
>> > --
>> > Regards,
>> > Peter Manev
>> > On 11 Aug 2016, at 17:12, Dave Florek <dave.a.florek at gmail.com> wrote:
>> >
>> > Hi,
>> >
>> > I'm trying to setup a rule to capture all Javascript (.js) files that are traversing my network. Here is the rule I created to do it. The problem is that it's giving me more files that are outside the .js extension and I'm wondering if the filemagic command has a property for javascript files or if there is a better way to construct the rule to capture only .js extension types.
>> >
>> >
>> > alert http any any -> any any (msg:"FILEXT js"; flow:established,to_server;filestore; sid:9; rev:1;)
>>
>>
>> The rule above will try to store every single file it sees to disk.
>>
>> You should employ some additional file keywords (filemagic) in order to get just Java scripts. Some more info can be found here -
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords
>>
>>
>> >
>> > Thanks in advance,
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160811/ea8c0920/attachment-0002.html>
More information about the Oisf-users
mailing list