doc: update filestore for file hash extraction

Update for extraction based on md5, sha1 and sha256
8 years ago · 0ff60f65ec
parent e8939335ea
commit 0ff60f65ec
4 changed files with 75 additions and 1 deletions
--- a/doc/userguide/file-extraction/file-extraction.rst
+++ b/doc/userguide/file-extraction/file-extraction.rst
@ -158,8 +158,33 @@ Or rather all actual pdf files?

  alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:3; rev:1;)

+Or rather only store files from black list checksum md5 ?
+
+
+::
+
+
+  alert http any any -> any any (msg:"Black list checksum match and extract MD5"; filemd5:fileextraction-chksum.list; filestore; sid:4; rev:1;)
+
+Or only store files from black list checksum sha1 ?
+
+
+::
+
+
+  alert http any any -> any any (msg:"Black list checksum match and extract SHA1"; filesha1:fileextraction-chksum.list; filestore; sid:5; rev:1;)
+
+Or finally store files from black list checksum sha256 ?
+
+
+::
+
+
+  alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:6; rev:1;)
+
 Bundled with the Suricata download is a file with more example rules. In the archive, go to the rules/ directory and check the files.rules file.

+
 MD5
 ~~~

--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@ -449,7 +449,7 @@ Negated Content Match Special Case
 File Extraction
 ---------------

-  Suricata has the ability to match on files from HTTP and SMTP streams and
+-  Suricata has the ability to match on files from FTP, HTTP and SMTP streams and
   log them to disk.

 -  Snort has the "file" preprocessor that can do something similar
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@ -115,6 +115,50 @@ Each MD5 uses 16 bytes of memory. 20 Million MD5's use about 310 MiB of memory.

 See also: http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/

+filesha1
+--------
+
+Match file SHA1 against list of SHA1 checksums.
+
+Syntax::
+
+  filesha1:[!]filename;
+
+The filename is expanded to include the rule dir. In the default case
+it will become /etc/suricata/rules/filename. Use the exclamation mark
+to get a negated match. This allows for white listing.
+
+Examples::
+
+  filesha1:sha1-blacklist;
+  filesha1:!sha1-whitelist;
+
+*File format*
+
+Same as md5 file format.
+
+filesha256
+----------
+
+Match file SHA256 against list of SHA256 checksums.
+
+Syntax::
+
+  filesha256:[!]filename;
+
+The filename is expanded to include the rule dir. In the default case
+it will become /etc/suricata/rules/filename. Use the exclamation mark
+to get a negated match. This allows for white listing.
+
+Examples::
+
+  filesha256:sha256-blacklist;
+  filesha256:!sha256-whitelist;
+
+*File format*
+
+Same as md5 file format.
+
 filesize
 --------

--- a/rules/files.rules
+++ b/rules/files.rules
@ -45,3 +45,8 @@

 # Alert and store files over SMTP
 #alert smtp any any -> any any (msg:"File Found over SMTP and stored"; filestore; sid:27; rev:1;)
+
+# Alert and store files from black list checksum: md5 or sha1 or sha256
+#alert http any any -> any any (msg:"Black list checksum match and extract MD5"; filemd5:fileextraction-chksum.list; filestore; sid:28; rev:1;)
+#alert http any any -> any any (msg:"Black list checksum match and extract SHA1"; filesha1:fileextraction-chksum.list; filestore; sid:29; rev:1;)
+#alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:30; rev:1;)