Suricata-4.1.2 ftp extraction

hello.i have a question about suricata-4.1.2 ftp extraction.
my signature example: alert ftp-data any any -> any any (msg:“FTP store password”; filestore; sid:3; rev:1;)
suricata.yaml

  • file-store:
    version: 2
    enabled: yes
    force-filestore: yes

now. All http protocol about file extracted.
i try ftp RETR STOR.but always empty.
please help me.

everybody wake up. :rofl:

I would suggest repeating the test with a supported version, so 4.1.8 or 5.0.3.

thank for you suggest. i tried 4.1.8.And no file extracted.I guess it’s a compilation problem.
config.log (144.4 KB)
Is this compilate lost something?

I’m a bit confused. Is compilation failing? Can you post your configure line and its output to the screen?

thank u.
no. Compilate isn’t failed. i think maybe when i running ./configure omission some variables.
session.log (25.6 KB)

I don’t understand what you’re asking. Can explain again what it is you need help with?

please forgive me for my bad english.i want using suricata extracte file for ftp protocol.but i couldn’t capture anything.I want to determine the cause of the problem.

i read the official document to configure the suricata.yaml.

https://suricata.readthedocs.io/en/suricata-4.1.2/rules/ftp-keywords.html

https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/suricata-yaml.html#file-store-file-extraction

i use suricata-4.1.8 with same configure.but didn’t capture file.
so i don’t known how to decide the problem.

Can you share a pcap file that demonstrates the problem?

Do you know if it’s active or passive FTP?

134_ftp_active.pcap (18.0 KB) 134_ftp_passive.pcap (5.7 KB)

Thank you very much.I check it and found i use ftp active model default.
I try the passive model when you tips me.And i capture those FTP files. :grin:
But why i couldn’t extracte files when active FTP ?

FTP active mode support is fully supported in 5.0.x (5.0.3 is the latest).

Could I think that 4.1.8 supported the active FTP ?
If I use the 5.0.3. i have to rewrite too many source code.
Because i develop some industrial control protocol parsers in 4.1.2. :flushed:

It will be also required as soon as 4.1.x is EOL. So we highly recommend that you update it to the current master code base and ideally in Rust. We would welcome new protocol additions especially from that area since we see more and more people asking for those.

thanks.i will try 5.0.3.