[Oisf-users] problem with filestore

erik clark philosnef at gmail.com
Fri Mar 10 17:36:20 UTC 2017

There is a giant problem with using a magic entry though. I have absolutely
no idea where in the file that packed statement would be; It might be 30
bytes in, it might be 300 bytes in, or more. Because of this, I have no
offset I can provide to begin looking for the string. Even when I specifiy
it with

0 string $hexhere packed

and use my custom magic file, it still comes back as text/plainl

I tested this with a 5 byte text file containing "dos" and the following

0    string   \x64\x6f\x73    pack

and then did magic -C -m magic_file
file -i -m magic_file.mgc $testfile

No matter what I try, this comes back as an ascii file....

On Thu, Mar 9, 2017 at 12:48 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> That's not how the file extraction rules work.  You can match on file
> name, extension and "magic".
> If you want to match on content you need to use the filemagic keyword
> and build a custom magic file.  Details are here:
> > http://stackoverflow.com/questions/7236191/how-to-create-a-
> custom-magic-file-database
> You just define a pattern to match against (like
> "eval(function(p,a,c,k,e,d)" and then label it (Javascript eval packed).
>  Libmagic does the context match, suricata matches against the returned
> label.  So your rule would look like this:
> > alert http any any -> any any (msg:"FILE packed javascript detected";
> filemagic:"Javascript eval packed"; filestore; sid:3; rev:1;)
> -Coop
> On 3/9/2017 6:25 AM, erik clark wrote:
> > I cant get filestore to work with this rule:
> >
> > alert tcp $external any -> $home any (msg"bleh"; file_data;
> > content:"eval(function(p,a,c,k,e,d)"; fast_pattern:only; filestore;
> > flowbits:isset,menu.js;....)
> >
> > Why cant I run filestore on this? I need to capture the entire file that
> > the sig fired on, but suri says something about conflicting keywords....
> >
> > Thanks!
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170310/d3491476/attachment-0002.html>

More information about the Oisf-users mailing list