[Oisf-users] Need example of the http_uri with filestore

Erich Lerch erich.lerch at gmail.com
Wed Jun 22 20:46:38 UTC 2016


I prefer doing this making use of two rules, with flowbits.
Something like this:

# first rule matching on hostname and URI, setting the flowbit:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GET request";
flow:established,to_server; content:"example.com"; http_host;
content:"/file.exe"; http_uri; flowbits:set,catchexe; flowbits:noalert;
sid:1; rev:1;)

# second rule checking flowbit, doing additional checks if required, and
saving the file:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GET reponse with
filestore"; flowbits:isset,catchexe; flow:established,to_client;
filemagic:"PE32 executable"; filestore; sid:2; rev:1;)

That way it works reliably. There seems to be a way (according to
to do it with a single rule, didn't try that one so far, though.


On 22.06.2016 15:04, Yuli Stremovsky wrote:
> Hello
> Can anybody give a working example of the suricata rule with saving http
> response using the filestore and checking for the specific uri.
> Thanks
> Yuli
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

More information about the Oisf-users mailing list