4.10. File Keywords¶
Suricata comes with several rule keywords to match on various file properties. They depend on properly configured File Extraction.
Matches on the file name.
Matches on the extension of a file name.
Matches on the information libmagic returns about a file.
filemagic:"executable for MS Windows";
Note: as libmagic versions differ between installations, the returned information may also slightly change. See also #437.
Stores files to disk if the signature matched.
direction can be:
- request/to_server: store a file in the request / to_server direction
- response/to_client: store a file in the response / to_client direction
- both: store both directions
scope can be:
- file: only store the matching file (for filename,fileext,filemagic matches)
- tx: store all files from the matching HTTP transaction
- ssn/flow: store all files from the TCP session/flow.
If direction and scope are omitted, the direction will be the same as the rule and the scope will be per file.
Match file MD5 against list of MD5 checksums.
The filename is expanded to include the rule dir. In the default case it will become /etc/suricata/rules/filename. Use the exclamation mark to get a negated match. This allows for white listing.
The file format is simple. It’s a text file with a single md5 per line, at the start of the line, in hex notation. If there is extra info on the line it is ignored.
Output from md5sum is fine:
2f8d0355f0032c3e6311c6408d7c2dc2 util-path.c b9cf5cf347a70e02fde975fc4e117760 util-pidfile.c 02aaa6c3f4dbae65f5889eeb8f2bbb8d util-pool.c dd5fc1ee7f2f96b5f12d1a854007a818 util-print.c
Just MD5’s are good as well:
2f8d0355f0032c3e6311c6408d7c2dc2 b9cf5cf347a70e02fde975fc4e117760 02aaa6c3f4dbae65f5889eeb8f2bbb8d dd5fc1ee7f2f96b5f12d1a854007a818
Each MD5 uses 16 bytes of memory. 20 Million MD5’s use about 310 MiB of memory.
Match on the size of the file as it is being transferred.
filesize:100; # exactly 100 bytes filesize:100<>200; # greater than 100 and smaller than 200 filesize:>100; # greater than 100 filesize:<100; # smaller than 100
Note: For files that are not completely tracked because of packet loss or stream.depth being reached on the “greater than” is checked. This is because Suricata can know a file is bigger than a value (it has seen some of it already), but it can’t know if the final size would have been within a range, an exact value or smaller than a value.