[Oisf-users] Dumping data from the buffers

Duane Howard duane.security at gmail.com
Wed Jan 31 16:50:54 UTC 2018


This is actually a really interesting feature idea for debugging and
testing rules, maybe something like --dump-buffers in debug mode? feed
suricata a pcap, dump out some sort of json structure that shows exactly
how each buffer (normalized/raw/etc) is being populated? I've had a few
times where this might've come in handy.

On Tue, Dec 26, 2017 at 4:16 PM, Francis Trudeau <
ftrudeau at emergingthreats.net> wrote:

> I don't have an answer to your question but would like to see what
> you're seeing.
>
> Do you have a pcap and/or an example of the rule you are using?  Are
> you using the SMTP keywords or the base64 keywords?
>
> Offlist and/or sanitized is fine if anything is sensitive.
>
>
>
>
>
>
>
> On Wed, Dec 20, 2017 at 7:56 AM,  <secres at linuxmail.org> wrote:
> > I've been having issues with detecting data in MIME base64 encoded
> packets.
> > There seems to be an issue either with the depth in which Suricata can
> > inspect using file_data or it doens't seem to be able to decode the
> base64
> > properly.  Some traffic I can detect elements in the file_data buffer
> but to
> > a certain limit and other times I can't even get anything from the first
> > part of the buffer.
> >
> > I've enabled debugging but that only show me the base64 encoded packet
> int
> > he logs.  I an decode the part myself but that doesn't tell me if
> Suricata
> > is seeing the same thing or not.  Is there a way to dump file_data or any
> > other buffer either to a file or to the screen?
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180131/05e17910/attachment-0001.html>


More information about the Oisf-users mailing list