How to use filestore

liqingjia · May 27, 2020, 8:42am

Hello all,
I write rules this:
alert http any any -> any any (msg:“File stored”; filename:“baofeng.zip”; filestore; sid:111111114; rev:1;)
I want to save file baofeng.zip
I find suricata save the baofeng.zip by log,but state is truncated and size is less and sha256 is bad.
It likely a part of file,so state is truncated.
If this,how can i save the file content?

liqingjia · May 27, 2020, 8:43am

syoc · May 27, 2020, 9:04am

Are you using file-store v2?
Sounds like you might be hitting stream depth settings.
See https://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html#settings
Try setting stream-depth: 0 in the file-store section of suricata.yaml

liqingjia · May 27, 2020, 9:19am

I add stream-depth: 0
And the size is right,the sha256 is right.
The state is closed.Thank you.

Topic		Replies	Views
File store of suricata Help	12	1124	December 12, 2023
Suricata 5.0.2 File Extraction Help file-extraction	10	2173	February 3, 2021
File-store creates empty files Help file-extraction	4	1351	July 1, 2020
Filestore module doesn't seem to work when using the -r XXX.pcap Help ips , file-extraction , suricata	5	802	January 3, 2022
Detect against sha256 hashes Help rules , suricata	9	454	October 31, 2023

How to use filestore

Related topics