[Oisf-users] Magic/ File extraction

Peter Manev petermanev at gmail.com
Fri Sep 7 13:19:47 UTC 2018

On Thu, Sep 6, 2018 at 8:28 PM Carl Rotenan <carlrotenan at gmail.com> wrote:
> Hello,
> I have thousands of examples of file extraction failing because of what appears to be unknown information across both the latest stable and beta releases.
> In the example below, the HTTP URI, HOST, REFERER, and USER AGENT are unknown and this seems to trigger file extraction even though in the rule I have specified only to extract PDF files.
> Anyone have any thoughts on fixing this? My goal is to only collect 20 or so filetypes for extraction and not have to recheck to see if the file was extracted in error.
> [root at localhost files]# cat file.1048.meta
> TIME:              08/16/2018-18:52:47.898829
> SRC IP:  
> DST IP:  
> PROTO:             6
> SRC PORT:          80
> DST PORT:          51680
> APP PROTO:         http
> HTTP URI:          <unknown>
> HTTP HOST:         <unknown>
> HTTP REFERER:      <unknown>
> HTTP USER AGENT:   <unknown>
> FILENAME:          /yellow/
> MAGIC:             HTML document, ASCII text, with CRLF line terminators
> STATE:             CLOSED
> SIZE:              4958
> [root at localhost files]# cat /etc/suricata/rules/foo.rules
> alert http any any -> any any (msg:"any file"; filemagic:"PDF"; filestore; sid:1; rev:1;)

Could you please open a bug report with a relevant pcap ? (where it is
reproducible too store files with the provided rule only even though
they are not PDF)

Peter Manev

More information about the Oisf-users mailing list