Suricata file extraction

LazaroCruz · March 22, 2020, 2:13am

Hi, I need to use the Suricata file extraction functionality but specifically the files with extension (.exe), is this possible.

I have tried using the following rule, but it ends up downloading any extension even with all the rules disabled:

alert http any any -> any any (msg:“File stored”; fileext:“exe”; filestore; sid:1; rev:1;)

Jeff_Lucovsky · March 22, 2020, 4:16pm

Hi,

Make sure that file extraction is configured.

In suricata.yaml, ensure that enabled: yes – here’s a snippet
(this enables the current file store version).

 - file-store:
      version: 2
      enabled: yes

LazaroCruz · March 22, 2020, 5:59pm

I have added: (version: 2) and the same thing keeps happening, all kinds of files are downloaded

vjulien · March 22, 2020, 6:26pm

Can you post the entire suricata.yaml or at least the full - file-store: block?

Jeff_Lucovsky · March 22, 2020, 6:57pm

Make sure that you don’t have force-filestore set to yes. If you do, that will store every file – not just the one in the rule. You should see force-filestore: no in the - file-store section.

LazaroCruz · March 22, 2020, 9:03pm

It was that, I thought “force-filestore” was to retry extraction in case of failure, and ended up enabling it without knowing. Thanks for everything Jeff_Lucovsky and vjulien !!!

Topic		Replies	Views
Running Suricata default in Windows Rules	3	424	May 24, 2023
Question about suricata-update Help suricata-update	4	404	March 15, 2021
Error filemd5 file xxxx was not found Rules file-extraction	4	587	August 5, 2021
Suricata-Update - Use Only Local Rules Rules	2	1388	July 8, 2020
Suricata and Python intergrate Help	3	1050	April 11, 2021

Suricata file extraction

Related Topics