Enable file extraction

Enable file extraction

The file extraction feature has been included in Suricata since the version 2.0. The feature enables file extraction from HTTP and SMTP traffic. You can take advantage of this feature when you want to analyze incoming files from Web or mail traffic in a sandbox or multiscanner.

To enable file extraction feature, follow the steps below:

  1. In the test.rule file, create or modify a rule to add the filestore option:

    alert http any any -> any any (msg:"Alarm detected"; content:"Alarm"; nocase;
    classtype:policy-violation; filestore ; sid:1; rev:1;)
    
  2. Verify that you have a proper value for the stream engine option stream.reassembly.depth (default 1 Mb) in suricata.yaml. Increase the value for files greater than 1Mb or set to 0 for no limit.

  3. Verify that you turned off the offloads rx, tx, sg, tso, gso, rxvlan, txvlan, gro, lro:

    ethtool -k eth0
    
  4. Start Suricata or reload the active ruleset:

    kill -USR2 <suricata pid>
    
  5. Download the test text file containing the word Alarm inside on the IDPS VM:

    wget http://<web server IP>:8080/test
    
  6. Go to the folder with extracted files:

    cd /var/log/suricata/files
    
  7. View the file.1 content if it equals to the downloaded test file:

    sudo cat file.1
    

    Example of system output:

    Alarm
    
  8. Open file.1.meta to see the file’s metadata:

    sudo cat file.1.meta
    

    Example of system output:

    TIME: 05/12/2016-18:02:58.514611
    SRC IP: 10.20.0.2
    DST IP: 10.20.0.8
    PROTO: 6
    SRC PORT: 8080
    DST PORT: 41632
    APP PROTO: http
    HTTP URI: /test
    HTTP HOST: 10.20.0.2
    HTTP REFERER: <unknown>
    HTTP USER AGENT: Wget/1.15 (linux-gnu)
    FILENAME: /test
    MAGIC: ASCII text
    STATE: CLOSED
    MD5: cb545549b596e5235285364023d07146
    SIZE: 6
    
  9. More rules to detect and extract Windows and Linux executables are below:

    alert http any any -> any any (msg:"==ELF file=="; content:"ELF"; distance:0;
    classtype:policy-violation; filestore;sid:3; rev:1;)
    
    alert http any any -> any any (msg:"==PE file=="; content:"|0D 0A 0D 0A|MZ";
    distance:0; classtype:policy-violation; filestore;sid:4; rev:1;)
    
    alert http any any -> any any (msg:"==EXE file=="; fileext:"exe";
    classtype:policy-violation; filestore;sid:14; rev:1;)