alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:3; rev:1;)
+Or rather only store files from black list checksum md5 ?
+
+
+::
+
+
+ alert http any any -> any any (msg:"Black list checksum match and extract MD5"; filemd5:fileextraction-chksum.list; filestore; sid:4; rev:1;)
+
+Or only store files from black list checksum sha1 ?
+
+
+::
+
+
+ alert http any any -> any any (msg:"Black list checksum match and extract SHA1"; filesha1:fileextraction-chksum.list; filestore; sid:5; rev:1;)
+
+Or finally store files from black list checksum sha256 ?
+
+
+::
+
+
+ alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:6; rev:1;)
+
Bundled with the Suricata download is a file with more example rules. In the archive, go to the rules/ directory and check the files.rules file.
+
MD5
~~~
File Extraction
---------------
-- Suricata has the ability to match on files from HTTP and SMTP streams and
+- Suricata has the ability to match on files from FTP, HTTP and SMTP streams and
log them to disk.
- Snort has the "file" preprocessor that can do something similar
See also: http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/
+filesha1
+--------
+
+Match file SHA1 against list of SHA1 checksums.
+
+Syntax::
+
+ filesha1:[!]filename;
+
+The filename is expanded to include the rule dir. In the default case
+it will become /etc/suricata/rules/filename. Use the exclamation mark
+to get a negated match. This allows for white listing.
+
+Examples::
+
+ filesha1:sha1-blacklist;
+ filesha1:!sha1-whitelist;
+
+*File format*
+
+Same as md5 file format.
+
+filesha256
+----------
+
+Match file SHA256 against list of SHA256 checksums.
+
+Syntax::
+
+ filesha256:[!]filename;
+
+The filename is expanded to include the rule dir. In the default case
+it will become /etc/suricata/rules/filename. Use the exclamation mark
+to get a negated match. This allows for white listing.
+
+Examples::
+
+ filesha256:sha256-blacklist;
+ filesha256:!sha256-whitelist;
+
+*File format*
+
+Same as md5 file format.
+
filesize
--------
# Alert and store files over SMTP
#alert smtp any any -> any any (msg:"File Found over SMTP and stored"; filestore; sid:27; rev:1;)
+
+# Alert and store files from black list checksum: md5 or sha1 or sha256
+#alert http any any -> any any (msg:"Black list checksum match and extract MD5"; filemd5:fileextraction-chksum.list; filestore; sid:28; rev:1;)
+#alert http any any -> any any (msg:"Black list checksum match and extract SHA1"; filesha1:fileextraction-chksum.list; filestore; sid:29; rev:1;)
+#alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:30; rev:1;)