[Oisf-users] File extraction questions and clarification
Cooper F. Nelson
cnelson at ucsd.edu
Mon Jan 8 20:19:43 UTC 2018
I personally wouldn't use the 'filemagic:' keyword. It has a crazy
amount of overhead unless you compile your own magic file.
Instead I would suggest just adding the 'filestore' keyword to the ET
POLICY PE/DLL Windows file download rule (sid:2018959). This has the
added benefit of not storing a ton windows updates.
-Coop
On 1/8/2018 12:11 PM, Jeremy A. Grove wrote:
> Hi
>
> I am using file extraction with Suricata version 4.0.0 RELEASE. The
> files are extracting with a few issues that I am not sure how to
> explain. I am only downloading EXE type files. The rules are
> below. The problem is that, although the EXE files are downloaded,
> there are alot of files with the Magic of "data" that are also
> downloaded. How can I prevent this?
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180108/f056cf20/attachment-0002.sig>
More information about the Oisf-users
mailing list