1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
File Keywords
=============
Suricata comes with several rule keywords to match on various file
properties. They depend on properly configured
:doc:`../file-extraction/file-extraction`.
file.data
---------
The ``file.data`` sticky buffer matches on contents of files that are
seen in flows that Suricata evaluates. The various payload keywords can
be used (e.g. ``startswith``, ``nocase`` and ``bsize``) with ``file.data``.
Example::
alert smtp any any -> any any (msg:"smtp app layer file.data example"; \
file.data; content:"example file content"; sid:1; rev:1)
alert http any any -> any any (msg:"http app layer file.data example"; \
file.data; content:"example file content"; sid:2; rev:1)
alert http2 any any -> any any (msg:"http2 app layer file.data example"; \
file.data; content:"example file content"; sid:3; rev:1;)
alert nfs any any -> any any (msg:"nfs app layer file.data example"; \
file.data; content:" "; sid:5; rev:1)
alert ftp-data any any -> any any (msg:"ftp app layer file.data example"; \
file.data; content:"example file content"; sid:6; rev:1;)
alert tcp any any -> any any (msg:"tcp file.data example"; \
file.data; content:"example file content"; sid:4; rev:1)
**Note** file_data is the legacy notation but can still be used.
file.name
---------
``file.name`` is a sticky buffer that is used to look at filenames
that are seen in flows that Suricata evaluates. The various payload
keywords can be used (e.g. ``startswith``, ``nocase`` and ``bsize``)
with ``file.name``.
Example::
file.name; content:"examplefilename";
``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
**Note** ``filename`` can still be used. A notable difference between
``file.name`` and ``filename`` is that ``filename`` assumes ``nocase``
by default. In the example below the two signatures are considered
the same.
Example::
filename:"examplefilename";
file.name; content:"examplefilename"; nocase;
fileext
--------
``fileext`` is used to look at individual file extensions that are
seen in flows that Suricata evaluates.
Example::
fileext:"pdf";
**Note:** ``fileext`` does not allow partial matches. For example, if
a PDF file (.pdf) is seen by a Suricata signature with
fileext:"pd"; the signature will not produce an alert.
**Note:** ``fileext`` assumes ``nocase`` by default. This means
that a file with the extension .PDF will be seen the same as if
the file had an extension of .pdf.
**Note:** ``fileext`` and ``file.name`` can both be used to match on
file extensions. In the example below the two signatures are
considered the same.
Example::
fileext:"pdf";
file.name; content:".pdf"; nocase; endswith;
**Note**: While``fileeext`` and ``file.name`` can both be used
to match on file extensions, ``file.name`` allows for partial
matching on file extensions. The following would match on a file
with the extension of .pd as well as .pdf.
Example::
file.name; content:".pd";
file.magic
----------
Matches on the information libmagic returns about a file.
Example::
file.magic; content:"executable for MS Windows";
**Note** ``filemagic`` can still be used. The only difference between
``file.magic`` and ``file.magic`` is that ``filemagic`` assumes ``nocase``
by default. In the example below the two signatures are considered
the same.
Example::
filemagic:"executable for MS Windows";
file.magic; content:"executable for MS Windows"; nocase;
Note: Suricata currently uses its underlying operating systems
version/implementation of libmagic. Different versions and
implementations of libmagic do not return the same information.
Additionally there are varying Suricata performance impacts
based on the version and implementation of libmagic.
Additional information about Suricata and libmagic can be found
here: https://redmine.openinfosecfoundation.org/issues/437
``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
filestore
---------
Stores files to disk if the signature matched.
Syntax::
filestore:<direction>,<scope>;
direction can be:
* request/to_server: store a file in the request / to_server direction
* response/to_client: store a file in the response / to_client direction
* both: store both directions
scope can be:
* file: only store the matching file (for filename,fileext,filemagic matches)
* tx: store all files from the matching HTTP transaction
* ssn/flow: store all files from the TCP session/flow.
If direction and scope are omitted, the direction will be the same as
the rule and the scope will be per file.
filemd5
-------
Match file :ref:`MD5 <md5>` against list of MD5 checksums.
Syntax::
filemd5:[!]filename;
The filename is expanded to include the rule dir. In the default case
it will become /etc/suricata/rules/filename. Use the exclamation mark
to get a negated match. This allows for white listing.
Examples::
filemd5:md5-blacklist;
filemd5:!md5-whitelist;
*File format*
The file format is simple. It's a text file with a single md5 per
line, at the start of the line, in hex notation. If there is extra
info on the line it is ignored.
Output from md5sum is fine::
2f8d0355f0032c3e6311c6408d7c2dc2 util-path.c
b9cf5cf347a70e02fde975fc4e117760 util-pidfile.c
02aaa6c3f4dbae65f5889eeb8f2bbb8d util-pool.c
dd5fc1ee7f2f96b5f12d1a854007a818 util-print.c
Just MD5's are good as well::
2f8d0355f0032c3e6311c6408d7c2dc2
b9cf5cf347a70e02fde975fc4e117760
02aaa6c3f4dbae65f5889eeb8f2bbb8d
dd5fc1ee7f2f96b5f12d1a854007a818
*Memory requirements*
Each MD5 uses 16 bytes of memory. 20 Million MD5's use about 310 MiB of memory.
See also: https://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/
filesha1
--------
Match file SHA1 against list of SHA1 checksums.
Syntax::
filesha1:[!]filename;
The filename is expanded to include the rule dir. In the default case
it will become /etc/suricata/rules/filename. Use the exclamation mark
to get a negated match. This allows for white listing.
Examples::
filesha1:sha1-blacklist;
filesha1:!sha1-whitelist;
*File format*
Same as md5 file format.
filesha256
----------
Match file SHA256 against list of SHA256 checksums.
Syntax::
filesha256:[!]filename;
The filename is expanded to include the rule dir. In the default case
it will become /etc/suricata/rules/filename. Use the exclamation mark
to get a negated match. This allows for white listing.
Examples::
filesha256:sha256-blacklist;
filesha256:!sha256-whitelist;
*File format*
Same as md5 file format.
filesize
--------
Match on the size of the file as it is being transferred.
filesize uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
Syntax::
filesize:<value>;
Possible units are KB, MB and GB, without any unit the default is bytes.
Examples::
filesize:100; # exactly 100 bytes
filesize:100<>200; # greater than 100 and smaller than 200
filesize:>100MB; # greater than 100 megabytes
filesize:<100MB; # smaller than 100 megabytes
**Note**: For files that are not completely tracked because of packet
loss or stream.reassembly.depth being reached on the "greater than" is
checked. This is because Suricata can know a file is bigger than a
value (it has seen some of it already), but it can't know if the final
size would have been within a range, an exact value or smaller than a
value.
|
