Suricata file extraction

LazaroCruz · March 22, 2020, 2:13am

Hi, I need to use the Suricata file extraction functionality but specifically the files with extension (.exe), is this possible.

I have tried using the following rule, but it ends up downloading any extension even with all the rules disabled:

alert http any any -> any any (msg:“File stored”; fileext:“exe”; filestore; sid:1; rev:1;)

Jeff_Lucovsky · March 22, 2020, 4:16pm

Hi,

Make sure that file extraction is configured.

In suricata.yaml, ensure that enabled: yes – here’s a snippet
(this enables the current file store version).

 - file-store:
      version: 2
      enabled: yes

LazaroCruz · March 22, 2020, 5:59pm

I have added: (version: 2) and the same thing keeps happening, all kinds of files are downloaded

vjulien · March 22, 2020, 6:26pm

Can you post the entire suricata.yaml or at least the full - file-store: block?

Jeff_Lucovsky · March 22, 2020, 6:57pm

Make sure that you don’t have force-filestore set to yes. If you do, that will store every file – not just the one in the rule. You should see force-filestore: no in the - file-store section.

LazaroCruz · March 22, 2020, 9:03pm

It was that, I thought “force-filestore” was to retry extraction in case of failure, and ended up enabling it without knowing. Thanks for everything Jeff_Lucovsky and vjulien !!!

Topic		Replies	Views
Suricata 5.0.2 File Extraction Help file-extraction	10	2175	February 3, 2021
Suricata-4.1.2 ftp extraction Help file-extraction	14	1900	May 27, 2020
File-store creates empty files Help file-extraction	4	1354	July 1, 2020
Filestore module doesn't seem to work when using the -r XXX.pcap Help ips , file-extraction , suricata	5	802	January 3, 2022
File extraction on FTP, NFS protocol only works sometimes Help	15	1932	September 12, 2023

Suricata file extraction

Related topics