https://inliniac.net/blog/tag/file-extraction/ Recent content in File-Extraction on Inliniac Hugo en Tue, 11 Nov 2014 10:47:42 +0000 https://inliniac.net/blog/2014/11/11/smtp-file-extraction-in-suricata/ Tue, 11 Nov 2014 10:47:42 +0000 https://inliniac.net/blog/2014/11/11/smtp-file-extraction-in-suricata/ <p>In <a href="http://suricata-ids.org/2014/11/06/suricata-2-1beta2-available/">2.1beta2</a> the long awaited SMTP file extraction support for Suricata finally appeared. It has been a long development cycle. Originally started by BAE Systems, it was picked up by Tom Decanio of FireEye Forensics Group (formerly nPulse Technologies) followed by a last round of changes from my side. But it&rsquo;s here now.</p> <p>It contains:</p> <ul> <li>a MIME decoder</li> <li>updates to the SMTP parser to use the MIME decoder for extracting files</li> <li>SMTP JSON log, integrated with EVE</li> <li>SMTP message URL extraction and logging</li> </ul> <p>As it uses the Suricata file handling API, it shares almost everything with the existing file handling for HTTP. The rule keyword work and the various logs work automatically with SMTP as well.</p> https://inliniac.net/blog/2011/11/29/file-extraction-in-suricata/ Tue, 29 Nov 2011 16:27:27 +0000 https://inliniac.net/blog/2011/11/29/file-extraction-in-suricata/ <p>Today I pushed out a new feature in Suricata I&rsquo;m very excited about. It has been long in the making and with over 6000 new lines of code it&rsquo;s a significant effort. It&rsquo;s available in the current git master. I&rsquo;d consider it alpha quality, so handle with care.</p> <p>So what is this all about? Simply put, we can now extract files from HTTP streams in Suricata. Both uploads and downloads. Fully controlled by the rule language. But thats not all. I&rsquo;ve added a touch of magic. By utilizing libmagic (this powers the &ldquo;file&rdquo; command), we know the file type of files as well. Lots of interesting stuff that can be done there.</p>