[Oisf-users] Magic/ File extraction

Carl Rotenan carlrotenan at gmail.com
Thu Sep 6 18:28:49 UTC 2018


I have thousands of examples of file extraction failing because of what
appears to be unknown information across both the latest stable and beta

In the example below, the HTTP URI, HOST, REFERER, and USER AGENT are
unknown and this seems to trigger file extraction even though in the rule I
have specified only to extract PDF files.

Anyone have any thoughts on fixing this? My goal is to only collect 20 or
so filetypes for extraction and not have to recheck to see if the file was
extracted in error.

[root at localhost files]# cat file.1048.meta
TIME:              08/16/2018-18:52:47.898829
PROTO:             6
SRC PORT:          80
DST PORT:          51680
APP PROTO:         http
HTTP URI:          <unknown>
HTTP HOST:         <unknown>
HTTP REFERER:      <unknown>
HTTP USER AGENT:   <unknown>
FILENAME:          /yellow/
MAGIC:             HTML document, ASCII text, with CRLF line terminators
STATE:             CLOSED
SIZE:              4958
[root at localhost files]# cat /etc/suricata/rules/foo.rules

alert http any any -> any any (msg:"any file"; filemagic:"PDF"; filestore;
sid:1; rev:1;)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180906/82a386af/attachment.html>

More information about the Oisf-users mailing list