1. Home
  2. MCP Security Best Practices
  3. Use cases
  4. IDPS Suricata deployment as a VNF on OpenStack with OpenContrail
  5. Enable file extraction

Enable file extraction

Enable file extraction

The file extraction feature has been included in Suricata since the version 2.0. The feature enables file extraction from HTTP and SMTP traffic. You can take advantage of this feature when you want to analyze incoming files from Web or mail traffic in a sandbox or multiscanner.

To enable file extraction feature, follow the steps below:

  1. In the test.rule file, create or modify a rule to add the filestore option:

    alert http any any -> any any (msg:"Alarm detected"; content:"Alarm"; nocase;
classtype:policy-violation; filestore ; sid:1; rev:1;)

  2. Verify that you have a proper value for the stream engine option stream.reassembly.depth (default 1 Mb) in suricata.yaml. Increase the value for files greater than 1Mb or set to 0 for no limit.

  3. Verify that you turned off the offloads rx, tx, sg, tso, gso, rxvlan, txvlan, gro, lro:

    ethtool -k eth0

  4. Start Suricata or reload the active ruleset:

    kill -USR2 <suricata pid>

  5. Download the test text file containing the word Alarm inside on the IDPS VM:

    wget http://<web server IP>:8080/test

  6. Go to the folder with extracted files:

    cd /var/log/suricata/files

  7. View the file.1 content if it equals to the downloaded test file:

    sudo cat file.1

    Example of system output:

    Alarm

  8. Open file.1.meta to see the file’s metadata:

    sudo cat file.1.meta

    Example of system output:

    TIME: 05/12/2016-18:02:58.514611
SRC IP: 10.20.0.2
DST IP: 10.20.0.8
PROTO: 6
SRC PORT: 8080
DST PORT: 41632
APP PROTO: http
HTTP URI: /test
HTTP HOST: 10.20.0.2
HTTP REFERER: <unknown>
HTTP USER AGENT: Wget/1.15 (linux-gnu)
FILENAME: /test
MAGIC: ASCII text
STATE: CLOSED
MD5: cb545549b596e5235285364023d07146
SIZE: 6

  9. More rules to detect and extract Windows and Linux executables are below:

    alert http any any -> any any (msg:"==ELF file=="; content:"ELF"; distance:0;
classtype:policy-violation; filestore;sid:3; rev:1;)

alert http any any -> any any (msg:"==PE file=="; content:"|0D 0A 0D 0A|MZ";
distance:0; classtype:policy-violation; filestore;sid:4; rev:1;)

alert http any any -> any any (msg:"==EXE file=="; fileext:"exe";
classtype:policy-violation; filestore;sid:14; rev:1;)

See also

updated: 2024-01-04 11:46