Project

General

Profile

Actions

Bug #2395

closed

File_data inspection depth while inspecting base64 decoded data

Added by Bryant Smith about 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I had noticed that when needing to inspect SMTP traffic that suricata can use file_data to inspect the base64 encoded attachments. This doesn't seem to work correctly all of the time. It seems that anything that is small seems to work but if the attachment is large I can't inspect deep into the payload or sometimes not even at the beginning of the payload. I've attached a sample pcap and simple rule that looks for two things. MZ at the beginning of the file_data payload and CreateFont which shows up further in. I've tried adjusting the various settings for libhtp but ended up with the same results.

/opt/suricata/bin/suricata -V

This is Suricata version 4.0.0 RELEASE

--------------------------------------------------------------------------
Date: 12/26/2017 -- 07:18:17. Sorted by: number of matches.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 123456 1 1 26488 100.00 1 0 26488 26488.00 0.00 26488.00

Files

sample.rules (212 Bytes) sample.rules Bryant Smith, 12/26/2017 08:11 AM
export.pcap (157 KB) export.pcap Bryant Smith, 12/26/2017 08:11 AM
test-mail-attach.pcap (5.69 MB) test-mail-attach.pcap Gabriel Somlo, 09/24/2018 05:03 PM
etc_suricata_suricata.yaml (72.8 KB) etc_suricata_suricata.yaml Gabriel Somlo, 08/19/2019 11:16 PM
etc_suricata_classification.config (4.16 KB) etc_suricata_classification.config Gabriel Somlo, 08/19/2019 11:16 PM
var_lib_suricata_rules_suricata.rules (315 Bytes) var_lib_suricata_rules_suricata.rules Gabriel Somlo, 08/19/2019 11:16 PM
suricata.rules (436 Bytes) suricata.rules Gabriel Somlo, 09/22/2019 01:00 PM

Related issues 2 (0 open2 closed)

Related to Suricata - Bug #3190: file_data inspection inhibited by additional (non-file_data) content match ruleClosedVictor JulienActions
Copied to Suricata - Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)ClosedVictor JulienActions
Actions

Also available in: Atom PDF