Hi,
I am currently using the latest stable version of Suricata with Ubuntu 18.04.
Is it possible to have some kind of alerting against file that are downloaded via web browser? Like, having a rule that uses a sha256 dataset and alert is any downloaded file has a corresponding sha256 malicious hash?
I read about filestore, but is it possible to do this without having to download any files?
Thanks!
You can use the 8.14. File Keywords — Suricata 7.0.3-dev documentation for that, for example the filesha256 and unless you enable filestore the files are not stored.
Ok, thanks for your reply.
I activated the “fileinfo” event log but when i download for example a pdf file, i cannot see any record of that in my suricata logs. Do i need to make any special config?
Thanks in advance
See 19. File Extraction — Suricata 7.0.3-dev documentation if you also enabled that in your logging output. The docs have an example for the EVE output.
I enabled fileinfo as the dcoumentation shows, but still cannot get any info when i download a pdf in the browser
Hard to tell without more details about your setup, how you run it, and so on.
Provide your suricata config, version, run command and log file examples at least.
I am running the latest Suricata version. here is the config file.
suricata.yaml (84.2 KB)
I am using AF-packet mode. I tested with a FTP server and after downloaded the file the “fileinfo” logging does not show anything related to the file that i downloaded although i can see other events like flows and FTP related to that interaction.
Even if i download a file via web browser through HTTP the results are the same.
Thanks
So you’re running 7.0.2?
Can you also post the stats.log and some eve.json examples?
Are there any fileinfo events at all?
Can you post the related http and flow events for the tests you did?
Right now i cannot send the stats.log. But i can send some examples of flows, ftp events and fileinfo events for the same source IP
I noticed that in regard the FTP event the “flow” type of logs are shown for the private and NAT/public address but the “FTP” type event only shows for the NAT/public address of the tested machine.
I think that a downloaded file through FTP should generate a log type “fileinfo” that shows that a file was downloaded but that does not happen.
FTP
{"timestamp":"2023-10-31T14:47:22.275229+0000","flow_id":1520613805559668,"in_iface":"enp2s0f1","event_type":"ftp","vlan":[x],"src_ip":"x.x.x.x","src_port":10000,"dest_ip":"44.241.66.173","dest_port":21,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:yePni5ClwUx84075Q3q421ykBWI=","tx_id":22,"ftp":{"command":"RETR","command_data":"newfile.txt","command_truncated":false,"completion_code":["150","226"],"reply":["Opening BINARY mode data connection for newfile.txt (33 bytes).","Transfer complete."],"reply_received":"yes","reply_truncated":false}}
FLOW
{"timestamp":"2023-10-31T14:54:01.535926+0000","flow_id":1520613805559668,"in_iface":"enp2s0f1","event_type":"flow","vlan":[x],"src_ip":"x.x.x.x","src_port":10000,"dest_ip":"44.241.66.173","dest_port":21,"proto":"TCP","app_proto":"ftp","app_proto_tc":"failed","flow":{"pkts_toserver":72,"pkts_toclient":66,"bytes_toserver":4743,"bytes_toclient":5477,"start":"2023-10-31T14:45:33.091901+0000","end":"2023-10-31T14:53:54.032360+0000","age":501,"state":"closed","reason":"timeout","alerted":false},"community_id":"1:yePni5ClwUx84075Q3q421ykBWI=","tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed","ts_max_regions":1,"tc_max_regions":1}}
Fileinfo example
{"timestamp":"2023-10-31T13:25:23.618577+0000","flow_id":953608882538264,"in_iface":"enp2s0f1","event_type":"fileinfo","vlan":[x],"src_ip":"x.x.x.x","src_port":10000,"dest_ip":"104.18.38.233","dest_port":80,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:zcPiP8f2grng8RHRFSjdPjWoq5M=","http":{"hostname":"geant.ocsp.sectigo.com","url":"/","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","http_content_type":"application/ocsp-response","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":727},"app_proto":"http","fileinfo":{"filename":"/","magic":"data","gaps":false,"state":"CLOSED","md5":"858baa8dbeb0699ca786499417e84b96","sha1":"38c3dd4110eb9d8e0f4494278921d7c53d5d9ccc","sha256":"4c7500dd7b72fe047b730105b1571ee8fa78aeba694cb11e67bc96e528caa73e","stored":false,"size":83,"tx_id":0}}
At least the fileinfo feature itself seems to work as you have events on that. Try to capture a pcap for a test, so we could investigate it.