Join long time contributor and developer Eric Leblond for some Suricata guru insights into file extraction.
The Suricata filestore keyword was introduced in 2011. It allows rule writers and practitioners to set up file extraction on a per-rule basis, complementing systematic file extraction that can be activated in the configuration file.
With this keyword, file extraction can be triggered on specific conditions using the flexibility of the rules language. And extraction works on multiple application layers, such as HTTP, HTTP2, NFS, SMB, FTP, SMTP …
This keyword – combined with other file matching ones such as filemagic – provides a really powerful mechanism to limit disk storage to only a selected subset of the files exchanged on the network.
While the user community has long suffered from the limitations imposed by the original design – issues we identified over a decade ago – we can finally enjoy the benefits of this new fix.
The purpose of this webinar is to explain in detail the file store feature and describe the recent improvements that have been made making it one of the most interesting new features of Suricata.
Save the date:
Jan 23, 2025
11 am EST
17pm CET
Register to attend via Zoom: Webinar Registration - Zoom