[Oisf-users] problem with filestore
erik clark
philosnef at gmail.com
Fri Mar 10 17:36:20 UTC 2017
There is a giant problem with using a magic entry though. I have absolutely
no idea where in the file that packed statement would be; It might be 30
bytes in, it might be 300 bytes in, or more. Because of this, I have no
offset I can provide to begin looking for the string. Even when I specifiy
it with
0 string $hexhere packed
and use my custom magic file, it still comes back as text/plainl
charset=us-ascii.
I tested this with a 5 byte text file containing "dos" and the following
sig:
0 string \x64\x6f\x73 pack
and then did magic -C -m magic_file
file -i -m magic_file.mgc $testfile
No matter what I try, this comes back as an ascii file....
On Thu, Mar 9, 2017 at 12:48 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> That's not how the file extraction rules work. You can match on file
> name, extension and "magic".
>
> If you want to match on content you need to use the filemagic keyword
> and build a custom magic file. Details are here:
>
> > http://stackoverflow.com/questions/7236191/how-to-create-a-
> custom-magic-file-database
>
> You just define a pattern to match against (like
> "eval(function(p,a,c,k,e,d)" and then label it (Javascript eval packed).
> Libmagic does the context match, suricata matches against the returned
> label. So your rule would look like this:
>
> > alert http any any -> any any (msg:"FILE packed javascript detected";
> filemagic:"Javascript eval packed"; filestore; sid:3; rev:1;)
>
> -Coop
>
> On 3/9/2017 6:25 AM, erik clark wrote:
> > I cant get filestore to work with this rule:
> >
> > alert tcp $external any -> $home any (msg"bleh"; file_data;
> > content:"eval(function(p,a,c,k,e,d)"; fast_pattern:only; filestore;
> > flowbits:isset,menu.js;....)
> >
> > Why cant I run filestore on this? I need to capture the entire file that
> > the sig fired on, but suri says something about conflicting keywords....
> >
> > Thanks!
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170310/d3491476/attachment-0002.html>
More information about the Oisf-users
mailing list