Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - alert on pdf files

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    2
    79
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I have written a custom rule to alert me on any pdf transfers seen going via smb

      alert smb any any -> any any (msg:"PDF file transfer detected over SMB"; fileext:"pdf"; sid:100002; rev:1;)

      The rule is written currently using the new Suricata 7.x binary for pfsense and the fileext is supported according to documentation.

      For added measure I have enabled FileStore in the GUI as well. SMB parsers is set to enable.

      Any clue as to why this wouldn't work?

      This is just a test rule and i do intend on being more refined in the future.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • V
        Vollans
        last edited by

        My guess would be that if you’re moving the file over SMB, it’s likely to be on the same network, so would never actually touch the firewall to be detected.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post