Suricata

On https://docs.suricata.io/en/latest/file-extraction/file-extraction.html

There is a series of example on the extracting file from a blacklist:

alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:6; rev:1;)

This can not properly work as if the file is too big, the match will happen at the end so the file storing will not be done early enough.

As a side note: it seems that running this example, we can have an empty file extracted to the correct sha256 file.