[Oisf-users] Dumping data from the buffers
Francis Trudeau
ftrudeau at emergingthreats.net
Wed Dec 27 00:16:44 UTC 2017
I don't have an answer to your question but would like to see what
you're seeing.
Do you have a pcap and/or an example of the rule you are using? Are
you using the SMTP keywords or the base64 keywords?
Offlist and/or sanitized is fine if anything is sensitive.
On Wed, Dec 20, 2017 at 7:56 AM, <secres at linuxmail.org> wrote:
> I've been having issues with detecting data in MIME base64 encoded packets.
> There seems to be an issue either with the depth in which Suricata can
> inspect using file_data or it doens't seem to be able to decode the base64
> properly. Some traffic I can detect elements in the file_data buffer but to
> a certain limit and other times I can't even get anything from the first
> part of the buffer.
>
> I've enabled debugging but that only show me the base64 encoded packet int
> he logs. I an decode the part myself but that doesn't tell me if Suricata
> is seeing the same thing or not. Is there a way to dump file_data or any
> other buffer either to a file or to the screen?
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list