From: Pascal Delalande Date: Fri, 26 Jan 2018 21:11:33 +0000 (+0100) Subject: doc: update filestore for file hash extraction X-Git-Tag: suricata-4.1.0-beta1~287 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ff60f65ec4cf4d71d68a28da4c5d5c161da2176;p=thirdparty%2Fsuricata.git doc: update filestore for file hash extraction Update for extraction based on md5, sha1 and sha256 --- diff --git a/doc/userguide/file-extraction/file-extraction.rst b/doc/userguide/file-extraction/file-extraction.rst index ab31d802d4..91f4d28731 100644 --- a/doc/userguide/file-extraction/file-extraction.rst +++ b/doc/userguide/file-extraction/file-extraction.rst @@ -158,8 +158,33 @@ Or rather all actual pdf files? alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:3; rev:1;) +Or rather only store files from black list checksum md5 ? + + +:: + + + alert http any any -> any any (msg:"Black list checksum match and extract MD5"; filemd5:fileextraction-chksum.list; filestore; sid:4; rev:1;) + +Or only store files from black list checksum sha1 ? + + +:: + + + alert http any any -> any any (msg:"Black list checksum match and extract SHA1"; filesha1:fileextraction-chksum.list; filestore; sid:5; rev:1;) + +Or finally store files from black list checksum sha256 ? + + +:: + + + alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:6; rev:1;) + Bundled with the Suricata download is a file with more example rules. In the archive, go to the rules/ directory and check the files.rules file. + MD5 ~~~ diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst index 1012717e33..2b1c41f7a4 100644 --- a/doc/userguide/rules/differences-from-snort.rst +++ b/doc/userguide/rules/differences-from-snort.rst @@ -449,7 +449,7 @@ Negated Content Match Special Case File Extraction --------------- -- Suricata has the ability to match on files from HTTP and SMTP streams and +- Suricata has the ability to match on files from FTP, HTTP and SMTP streams and log them to disk. - Snort has the "file" preprocessor that can do something similar diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst index 9a173bd8e5..c59740186d 100644 --- a/doc/userguide/rules/file-keywords.rst +++ b/doc/userguide/rules/file-keywords.rst @@ -115,6 +115,50 @@ Each MD5 uses 16 bytes of memory. 20 Million MD5's use about 310 MiB of memory. See also: http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/ +filesha1 +-------- + +Match file SHA1 against list of SHA1 checksums. + +Syntax:: + + filesha1:[!]filename; + +The filename is expanded to include the rule dir. In the default case +it will become /etc/suricata/rules/filename. Use the exclamation mark +to get a negated match. This allows for white listing. + +Examples:: + + filesha1:sha1-blacklist; + filesha1:!sha1-whitelist; + +*File format* + +Same as md5 file format. + +filesha256 +---------- + +Match file SHA256 against list of SHA256 checksums. + +Syntax:: + + filesha256:[!]filename; + +The filename is expanded to include the rule dir. In the default case +it will become /etc/suricata/rules/filename. Use the exclamation mark +to get a negated match. This allows for white listing. + +Examples:: + + filesha256:sha256-blacklist; + filesha256:!sha256-whitelist; + +*File format* + +Same as md5 file format. + filesize -------- diff --git a/rules/files.rules b/rules/files.rules index c747727f39..6dd628ec0a 100644 --- a/rules/files.rules +++ b/rules/files.rules @@ -45,3 +45,8 @@ # Alert and store files over SMTP #alert smtp any any -> any any (msg:"File Found over SMTP and stored"; filestore; sid:27; rev:1;) + +# Alert and store files from black list checksum: md5 or sha1 or sha256 +#alert http any any -> any any (msg:"Black list checksum match and extract MD5"; filemd5:fileextraction-chksum.list; filestore; sid:28; rev:1;) +#alert http any any -> any any (msg:"Black list checksum match and extract SHA1"; filesha1:fileextraction-chksum.list; filestore; sid:29; rev:1;) +#alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:30; rev:1;)