[Oisf-users] problem with filestore

Cooper F. Nelson cnelson at ucsd.edu
Thu Mar 9 17:48:14 UTC 2017


That's not how the file extraction rules work.  You can match on file
name, extension and "magic".

If you want to match on content you need to use the filemagic keyword
and build a custom magic file.  Details are here:

> http://stackoverflow.com/questions/7236191/how-to-create-a-custom-magic-file-database

You just define a pattern to match against (like
"eval(function(p,a,c,k,e,d)" and then label it (Javascript eval packed).
 Libmagic does the context match, suricata matches against the returned
label.  So your rule would look like this:

> alert http any any -> any any (msg:"FILE packed javascript detected"; filemagic:"Javascript eval packed"; filestore; sid:3; rev:1;)

-Coop

On 3/9/2017 6:25 AM, erik clark wrote:
> I cant get filestore to work with this rule:
> 
> alert tcp $external any -> $home any (msg"bleh"; file_data;
> content:"eval(function(p,a,c,k,e,d)"; fast_pattern:only; filestore;
> flowbits:isset,menu.js;....)
> 
> Why cant I run filestore on this? I need to capture the entire file that
> the sig fired on, but suri says something about conflicting keywords....
> 
> Thanks!


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170309/c16185dc/attachment-0002.sig>


More information about the Oisf-users mailing list