[Oisf-users] problem with filestore

Cooper F. Nelson cnelson at ucsd.edu
Fri Mar 10 18:07:27 UTC 2017


Yeah unfortunately I'm not an expert on libmagic, so I don't know what
the limitations are.

What version of suricata are you running?  Victor Julien has said that
your sig loads fine for him, which if it works implies you can now do
file extraction using hyperscan, instead of libmagic.  So, for example,
you could add the 'filestore' keyword to the 'ET POLICY PE EXE or DLL
Windows file download HTTP' and avoid the overhead of libmagic entirely.

I just tested this on v3.2.1 and it's working for PE http downloads!
This is a *huge* win as libmagic kills performance.

This is documented, but I guess I missed this as a feature addition.

> http://suricata.readthedocs.io/en/latest/rules/file-keywords.html?highlight=filestore

I'm copying Victor as you should probably put a note in the
documentation to avoid using the 'libmagic' keyword, as it really
impacts performance on a busy sensor.

-Coop

On 3/10/2017 9:36 AM, erik clark wrote:
> There is a giant problem with using a magic entry though. I have
> absolutely no idea where in the file that packed statement would be; It
> might be 30 bytes in, it might be 300 bytes in, or more. Because of
> this, I have no offset I can provide to begin looking for the string.
> Even when I specifiy it with


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170310/9c349bec/attachment-0002.sig>


More information about the Oisf-users mailing list