[Oisf-users] File extraction questions and clarification

Mon Jan 8 20:11:38 UTC 2018

Hi 

I am using file extraction with Suricata version 4.0.0 RELEASE. The files are extracting with a few issues that I am not sure how to explain. I am only downloading EXE type files. The rules are below. The problem is that, although the EXE files are downloaded, there are alot of files with the Magic of "data" that are also downloaded. How can I prevent this? 

alert http any any -> any any (msg:"FILE magic -- DOS 1"; flow:established,to_client; filemagic:"COM executable for DOS"; filestore; sid:28; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- DOS 2"; flow:established,to_client; filemagic:"DOS executable (block device driver)"; filestore; sid:29; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- DOS 3"; flow:established,to_client; filemagic:"DOS executable (COM)"; filestore; sid:30; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- windows 2"; flow:established,to_client; filemagic:"PE32 executable (DLL) (console) Intel 80386 Mono\/.Net assembly, for MS Windows"; filestore; sid:31; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- windows 3"; flow:established,to_client; filemagic:"PE32+ executable (DLL) (console) x86-64, for MS Windows"; filestore; sid:32; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- windows 4"; flow:established,to_client; filemagic:"PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"; filestore; sid:33; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- windows 5"; flow:established,to_client; filemagic:"PE32 executable (GUI) Intel 80386, for MS Windows"; filestore; sid:34; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- windows 5"; flow:established,to_client; filemagic:"PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows"; filestore; sid:35; rev:1;) 

alert http any any -> any any (msg:"FILE magic -- windows 6"; flow:established,to_client; filemagic:"PE32+ executable (GUI) x86-64, for MS Windows"; filestore; sid:36; rev:1;) 

Secondly, I am not entirely sure of the purpose of the " max-open-files:" option as shown below. In what case would I want to have something other than default? 

- file-store: 
enabled: yes # set to yes to enable 
log-dir: files # directory to store the files 
force-magic: yes # force logging magic on all stored files 
# force logging of checksums, available hash functions are md5, 
# sha1 and sha256 
force-hash: [md5] 
force-filestore: no # force storing of all files 
# override global stream-depth for sessions in which we want to 
# perform file extraction. Set to 0 for unlimited. 
stream-depth: 0 
#waldo: file.waldo # waldo file to store the file_id across runs 
# uncomment to disable meta file writing 
#write-meta: no 
# uncomment the following variable to define how many files can 
# remain open for filestore by Suricata. Default value is 0 which 
# means files get closed after each write 
#max-open-files: 1000 

Any help will be appreciated. 

Jeremy Grove, SSCP 
Senior Information Security Analyst 
Quadrant Information Security 

Learn more= about our managed SIEM [ https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22 | people + product ] 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180108/f5374e1c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2204 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180108/f5374e1c/attachment.bin>