[Oisf-users] Dumping data from the buffers

Francis Trudeau ftrudeau at emergingthreats.net
Wed Dec 27 00:16:44 UTC 2017

I don't have an answer to your question but would like to see what
you're seeing.

Do you have a pcap and/or an example of the rule you are using?  Are
you using the SMTP keywords or the base64 keywords?

Offlist and/or sanitized is fine if anything is sensitive.

On Wed, Dec 20, 2017 at 7:56 AM,  <secres at linuxmail.org> wrote:
> I've been having issues with detecting data in MIME base64 encoded packets.
> There seems to be an issue either with the depth in which Suricata can
> inspect using file_data or it doens't seem to be able to decode the base64
> properly.  Some traffic I can detect elements in the file_data buffer but to
> a certain limit and other times I can't even get anything from the first
> part of the buffer.
> I've enabled debugging but that only show me the base64 encoded packet int
> he logs.  I an decode the part myself but that doesn't tell me if Suricata
> is seeing the same thing or not.  Is there a way to dump file_data or any
> other buffer either to a file or to the screen?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list