fancypig
December 23, 2021, 11:08am
1
My pcap includes some operation captured by wireshark,such as uploading the png,jpeg,zip files.
Now I use the following command and try to extract the file from pcap.
suricata -c /etc/suricata/suricata.yaml -r /home/ubuntu/suricata-all/test.pcap
I’m sure that the suricata.yaml has enabled the filstore module.
- file-store:
version: 2
enabled: yes
Eventhough I forced the system to store all the files using the following configuration
force-filestore: no
It doesn’t work.
Alerts 0
And I used the following command to serach the json files in log
find -name '*.json'
Or search the specific suffix, such as the mp3 data
find -name '*.json' |xargs grep -l 'mp3'
This is the relevent information about my suricata.
If you can help solve this problem, it’ ll be highly appreciated.
Even though I forced the system to store all the files using the following configuration
force-filestore: no
Is this the setting you used – I would’ve expected force-filestore: yes
Can you attach your pcap file to your response instead of through a link?
fancypig
December 23, 2021, 2:13pm
3
I was wondering if the suricata can extract the file I’ve uploaded through the ftp-data protocols.
I opened the wireshark when I was uploading these files.
So the question is if I upload the test.pcap and try to use the following command, can these files be parased and restore to original file?
suricata -c /etc/suricata/suricata.yaml -r /home/ubuntu/suricata-all/test.pcap
I’m sure that I’ve written the relevent rules
For example
The jpg files:
alert http any any -> any any (msg:"FILESTORE jpg"; flow:established,to_server; fileext:"jpg"; filestore; sid:2021122003; rev:1;)
The files via ftp-data
alert ftp-data any any -> any any (msg:"File Found over FTP and stored"; filestore; sid:7; rev:1;)
However, it doesn’t seem to restore the orignal file using the suricata -c /etc/suricata/suricata.yaml -r /home/ubuntu/suricata-all/test.pcap command
I can confirm that it doesn’t trigger but it also doesn’t show any ftp stats at all. I didn’t do a deep dive in the pcap but can you recreate the pcap and ensure that you also capture the initial ftp connection?
With your pcap and the ETOpen rules, 2 files are extracted – a json file and an html 502 error.
Note that files are extracted into the filestore directory using the logging path. The file names of extract files is their hash.
$ suricata -c suricata.yaml -l /tmp/ll -r ~/ftp-test.pcap
$ find /tmp/ll/filestore -type f
/tmp/ll/filestore/eb/ebcfd77c35603861ad9beb58ce48f966588832b8f7239142b84d3c2e290f09e1
/tmp/ll/filestore/b7/b7e550fed9a44efef548b150b6ee31326d58818688e3ad5e9ff51ae51b57938c
Note that
File store version 2 is enabled
Force-filestore is enabled
1 Like
fancypig
January 3, 2022, 3:06pm
6
Jeff_Lucovsky:
File store version 2 is enabled
Force-filestore is enabled
Thank you so much~I’ve tried to update to 6.0.4 to get rid of the unknown problems(Maybe the historic legacy)
