[Oisf-users] Problem in storing SMTP Mails

Francis Trudeau trudeauf at gmail.com
Fri Feb 21 19:28:19 UTC 2020


What is in your files.rules?  Did you reference it in the yaml rule-files
section?

I just test with an Eicar SMTP pcap and it stored the file for me on 5.0.1
here.  Here's my files.rules:

alert tcp any any -> any any (msg:"FILE store all"; filestore;
flowbits:noalert; sid:1; rev:1;)







On Fri, Feb 21, 2020 at 1:53 AM praveen gupta <gsf_410 at rediffmail.com>
wrote:

> Hi Guys,
>
> I want to store the mail being sent by thunderbird over smtp.
> I have modified suricata-5.0.2/build/etc/suricata/suricata.yaml file by
> enabling filestore and setting filestore dir. Have also enabled smtp.
> Created the files.rules file. And provided the path to magic-file.
>
> Have configured iptables as:
>
> iptables -t mangle -F
> iptables -t nat -F PREROUTING
> iptables -F
> iptables -A INPUT -j NFQUEUE --queue-num 12
> iptables -A OUTPUT -j NFQUEUE --queue-num 12
>
> To start suricata I am doing `./build/bin/suricata -q 12`
>
> The mentioned files can be found here:
> suricata-5.0.2/build/etc/suricata/suricata.yaml ->
> https://paste.debian.net/1131243/
> suricata-5.0.2/build/var/lib/suricata/rules/files.rules ->
> https://paste.debian.net/1131244/
>
> I am getting alerts about the smtp transfer in fast.log but the email is
> not getting stored. What am I missing here ?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200221/5e4c585f/attachment.html>


More information about the Oisf-users mailing list