[Suricata IDS] Extracting encrypted and unencrypted data files



  • Sorry if this is a beginner's question, but could someone explain how to use Suricata to capture the file stream based on file name and extension? I want to extract .dll, .exe, and other file extensions that pass through my network.

    This is my original post: https://forum.pfsense.org/index.php?topic=71915.msg40024

    Also, is this an example of saving actual files (not just pcap files) using Wireshark? https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Sniffing_Packets_with_Wireshark



  • @pfNeo:

    Sorry if this is a beginner's question, but could someone explain how to use Suricata to capture the file stream based on file name and extension? I want to extract .dll, .exe, and other file extensions that pass through my network.

    This is my original post: https://forum.pfsense.org/index.php?topic=71915.msg40024

    Also, is this an example of saving actual files (not just pcap files) using Wireshark? https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Sniffing_Packets_with_Wireshark

    Suricata can capture certain types of files, but the rules for doing this are disabled by default.  I confess to not having tested this myself yet, but here is what I believe you should do.

    On the Interface Settings tab for the interface enable the File Store option by checking the box next to Enable File-Store.  Save the change.

    You will be returned to the Suricata Interfaces tab.  Click to edit the interface again and go to the Rules tab and select files.rules from the category drop-down selector.

    Notice they all come disabled by default.  To enable some or all of them, click the red X icon on the left of each rule.  If you want to enable them all at once, then near the center of the page toward the right are a series of icons for performing bulk actions.  One of those will enable all rules in the selected category.

    Once you select the file rules you want, then click Apply to save and apply the changes to the running Suricata process.

    Captured files are stored in /var/log/suricata/suricata_xxxxxxx/files where xxxxxxx is the physical interface name followed by a UUID.  Here is an example from one of my test machines: /var/log/suricata/suricata_em130303/files Note that you can only capture files that Suricata is equipped to recognize via the rules.  This is about my limit of expertise, though, with this feature.  I am interested to hear how it goes for you.  Please report back.

    Bill



  • Thank you for the detailed instructions. I am on the very last step right now. I am trying to figure out how to create a rule that will capture specific file formats, such as .dll

    Do you know how to achieve this?

    I will post back if I figure this out.

    Small update [1]: I found this documentation. I'm in the process of reading it now: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Adding_Your_Own_Rules

    Small update [2]: I ran the following command at Diagnostics > Command Prompt: Execute Shell Command, but I do not see the rule updated in Suricata.

    alert http any any -> any any (msg:"FILE DLL file claimed"; fileext:"dll"; filestore; sid:2; rev:1;)
    


  • @pfNeo:

    Thank you for the detailed instructions. I am on the very last step right now. I am trying to figure out how to create a rule that will capture specific file formats, such as .dll

    Do you know how to achieve this?

    I will post back if I figure this out.

    Small update [1]: I found this documentation. I'm in the process of reading it now: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Adding_Your_Own_Rules

    Small update [2]: I ran the following command at Diagnostics > Command Prompt: Execute Shell Command, but I do not see the rule updated in Suricata.

    alert http any any -> any any (msg:"FILE DLL file claimed"; fileext:"dll"; filestore; sid:2; rev:1;)
    

    I have not written any custom Suricata rules.  There is a box for inputting custom rule, though.  Go to the RULES tab for the interface and select Custom Rules in the category drop-down selector.  Type your rule or rules in the text box and save them.

    Suricata, like Snort, writes a fresh configuration with each restart and on most save operations.  So anything you edit directly in configuration files or rules files from the command line will get overwritten with the next restart of Suricata or with most of the save operations.  If you want your own custom rules, then put them in the Custom Rules category as I described.

    Bill



  • Are the custom rules auto enabled? I inputted the following as a custom rule and it is now saved:

    alert http any any -> any any (msg:"FILE DLL file claimed"; fileext:"dll"; filestore; sid:2; rev:1;)
    

    I navigated to /var/log/suricata/suricata_vrXXXXX/files/ using File Manager (https://forum.pfsense.org/index.php/topic,26974.0.html), but I do not see the dll file that I just downloaded.



  • @pfNeo:

    Are the custom rules auto enabled? I inputted the following as a custom rule and it is now saved:

    alert http any any -> any any (msg:"FILE DLL file claimed"; fileext:"dll"; filestore; sid:2; rev:1;)
    

    I navigated to /var/log/suricata/suricata_vrXXXXX/files/ using File Manager (https://forum.pfsense.org/index.php/topic,26974.0.html), but I do not see the dll file that I just downloaded.

    Yes, any custom rule created and save is enabled.  If you want to look at it, browse to /usr/pbi/suricata-arch/etc/suricata and look in the interface's sub-directory and then in the rules/suricata.rules file there.

    I did not look very hard, but in my perusing of Google links I never found much documentation for the file capture feature.

    Bill



  • It's not in suricata.rules. Instead, it's in custom.rules

    I'm looking inside /usr/pbi/suricata-ARCH/etc/suricata/suricata_XXXX_YYY/rules/

    Do I have to restart suricata (disable/enable?) for it to work?

    I'm using 2.1-RELEASE (i386).



  • I did another test and I did find some files in the directory, but not the actual dll file. I found file.1 and file.1.meta.

    file.1 contained the following (stripped) text

    
    {"status":"success","url":"http:\/\/www.SOMEWEBSITE.com\/PHPFILE.php?=somecodeinphp"}
    
    

    file.1.meta contains the following

    
    TIME:               [stripped content]
    SRC IP:             [stripped content]
    DST IP:             [stripped content]
    PROTO:              [stripped content]
    SRC PORT:           [stripped content]
    DST PORT:           [stripped content]
    HTTP URI:          [stripped content]
    HTTP HOST:         [stripped content]
    HTTP REFERER:       [stripped content]
    HTTP USER AGENT:   [stripped content]
    FILENAME:          /URLPATH/file.dll
    MAGIC:             <unknown>STATE:             CLOSED
    SIZE:              126</unknown> 
    


  • @pfNeo:

    I did another test and I did find some files in the directory, but not the actual dll file. I found file.1 and file.1.meta.

    file.1 contained the following (stripped) text

    
    {"status":"success","url":"http:\/\/www.SOMEWEBSITE.com\/PHPFILE.php?=somecodeinphp"}
    
    

    file.1.meta contains the following

    
    TIME:               [stripped content]
    SRC IP:             [stripped content]
    DST IP:             [stripped content]
    PROTO:              [stripped content]
    SRC PORT:           [stripped content]
    DST PORT:           [stripped content]
    HTTP URI:          [stripped content]
    HTTP HOST:         [stripped content]
    HTTP REFERER:       [stripped content]
    HTTP USER AGENT:   [stripped content]
    FILENAME:          /URLPATH/file.dll
    MAGIC:             <unknown>STATE:             CLOSED
    SIZE:              126</unknown> 
    

    Thanks for the feedback.  Just got back in the country from a vacation and still catching up.'

    Sorry about giving you the wrong rules file name.  It is custom.rules.  The snort.rules are all the pre-packaged rules.

    As I mentioned, testing of the file capture ability in Suricata is not something I had a chance to test.  One possible issue is I may have the "magic file" setting messed up.  If you have some knowledge and want to experiment, you can edit that feature in the suricata.yaml file.  There is a "template" for that file in /usr/local/pkg/suricata called suricata_yaml_template.inc.

    Please post back what you discover.  I want to get this working properly.  I have been multitasking with the Snort package and working on Suricata blocking.  This has limited my time to experiment more with this feature.

    Bill


Log in to reply