[Oisf-users] problem with filestore

Cooper F. Nelson cnelson at ucsd.edu
Thu Mar 16 17:11:47 UTC 2017

You should still compile your own magic file if you are using the
'filemagic' keyword, unless you have very little traffic or lots of
extra cores.  Using the default magic file cuts your performance in
half, at least.

It's not that I'm doing the file extraction with hyperscan, it's that in
one of the 3-series builds there was feature addition that allows you to
simply add the 'filestore' keyword to existing rules.  So I just added
that to the existing policy rule, which uses the hyperscan matcher:

> policy.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; filestore; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:3;)

This is *way* more efficient than using libmagic.

The documentation is kind of light here, but it looks like you can even
treat TCP flows as 'files' and log them as well, including leveraging
the arbitrary stream tracking feature.


On 3/16/2017 7:08 AM, Peter Manev wrote:
> Cooper -  how do you do the file extraction with hyperscan in your case?
> You still need to compile your own magic or?

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170316/fb5fceec/attachment-0002.sig>

More information about the Oisf-users mailing list