Is there a easy way to check double file extension?

Black5ugar · April 11, 2022, 7:13am

hello, I want to check the attachment in the mail whether have the double file extension，
like jpg.exe pdf.exe …
I wrote rules like below,

alert smtp any any -> any any(msg:"double file extension detected"; fileext:"aaa|2e|exe";classtype:misc-attack;sid:1; rev:1)
alert smtp any any -> any any(msg:"double file extension detected"; fileext:"bbb|2e|exe";classtype:misc-attack;sid:2; rev:1)
alert smtp any any -> any any(msg:"double file extension detected"; fileext:"ccc|2e|exe";classtype:misc-attack;sid:3; rev:1)

Obviously, it’s troublesome.
Is there a easy way to implement it？

Philippe_Antoine · April 15, 2022, 11:47am

Do you want only one rule ?
Then maybe you should have a pcre on the file extension ?

satta · April 19, 2022, 9:58pm

Hmm, but AFAICS fileext is not a buffer, so pcre won’t work I guess? Looks like it wants a fixed string to match.

Philippe_Antoine · April 22, 2022, 8:22pm

So file.name should be used

satta · April 26, 2022, 8:24am

Duh, of course My bad. Couldn’t find that in the documentation: 6.14. File Keywords — Suricata 7.0.0-dev documentation

I guess one could then indeed to something like

alert smtp any any -> any any (msg:"test"; flow:to_client; file.name; content:"|2e|exe"; endswith; fast_pattern; file.name; pcre:"/(aaa|bbb)\.exe$/i"; sid: 42;)

Topic		Replies	Views
SMTP - extension based file extraction issue Help	1	337	November 17, 2022
Rule payload content keywording Rules	1	971	May 12, 2020
No stored file in filestore Help	3	784	February 28, 2022
How to detect POP3 & IMAP? Help	4	2504	August 29, 2021
Some error ET Trojan rules Rules suricata	2	573	April 11, 2023

Is there a easy way to check double file extension?

Related Topics