[Oisf-users] Magic/ File extraction

Carl Rotenan carlrotenan at gmail.com
Thu Sep 6 18:28:49 UTC 2018


Hello,

I have thousands of examples of file extraction failing because of what
appears to be unknown information across both the latest stable and beta
releases.

In the example below, the HTTP URI, HOST, REFERER, and USER AGENT are
unknown and this seems to trigger file extraction even though in the rule I
have specified only to extract PDF files.

Anyone have any thoughts on fixing this? My goal is to only collect 20 or
so filetypes for extraction and not have to recheck to see if the file was
extracted in error.

[root at localhost files]# cat file.1048.meta
TIME:              08/16/2018-18:52:47.898829
SRC IP:            172.16.221.101
DST IP:            172.16.221.120
PROTO:             6
SRC PORT:          80
DST PORT:          51680
APP PROTO:         http
HTTP URI:          <unknown>
HTTP HOST:         <unknown>
HTTP REFERER:      <unknown>
HTTP USER AGENT:   <unknown>
FILENAME:          /yellow/
MAGIC:             HTML document, ASCII text, with CRLF line terminators
STATE:             CLOSED
SIZE:              4958
[root at localhost files]# cat /etc/suricata/rules/foo.rules


alert http any any -> any any (msg:"any file"; filemagic:"PDF"; filestore;
sid:1; rev:1;)



Thanks,

Carl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180906/82a386af/attachment.html>


More information about the Oisf-users mailing list