The file extraction feature has been included in Suricata since the version 2.0. The feature enables file extraction from HTTP and SMTP traffic. You can take advantage of this feature when you want to analyze incoming files from Web or mail traffic in a sandbox or multiscanner.
To enable file extraction feature, follow the steps below:
In the test.rule
file, create or modify a rule to add the
filestore
option:
alert http any any -> any any (msg:"Alarm detected"; content:"Alarm"; nocase;
classtype:policy-violation; filestore ; sid:1; rev:1;)
Verify that you have a proper value for the stream engine option
stream.reassembly.depth
(default 1 Mb) in suricata.yaml
.
Increase the value for files greater than 1Mb or set to 0
for no limit.
Verify that you turned off the offloads rx
, tx
, sg
, tso
,
gso
, rxvlan
, txvlan
, gro
, lro
:
ethtool -k eth0
Start Suricata or reload the active ruleset:
kill -USR2 <suricata pid>
Download the test
text file containing the word Alarm
inside on the IDPS VM:
wget http://<web server IP>:8080/test
Go to the folder with extracted files:
cd /var/log/suricata/files
View the file.1
content if it equals to the downloaded test
file:
sudo cat file.1
Example of system output:
Alarm
Open file.1.meta
to see the file’s metadata:
sudo cat file.1.meta
Example of system output:
TIME: 05/12/2016-18:02:58.514611
SRC IP: 10.20.0.2
DST IP: 10.20.0.8
PROTO: 6
SRC PORT: 8080
DST PORT: 41632
APP PROTO: http
HTTP URI: /test
HTTP HOST: 10.20.0.2
HTTP REFERER: <unknown>
HTTP USER AGENT: Wget/1.15 (linux-gnu)
FILENAME: /test
MAGIC: ASCII text
STATE: CLOSED
MD5: cb545549b596e5235285364023d07146
SIZE: 6
More rules to detect and extract Windows and Linux executables are below:
alert http any any -> any any (msg:"==ELF file=="; content:"ELF"; distance:0;
classtype:policy-violation; filestore;sid:3; rev:1;)
alert http any any -> any any (msg:"==PE file=="; content:"|0D 0A 0D 0A|MZ";
distance:0; classtype:policy-violation; filestore;sid:4; rev:1;)
alert http any any -> any any (msg:"==EXE file=="; fileext:"exe";
classtype:policy-violation; filestore;sid:14; rev:1;)
See also