• Support
  • Forums
  • Blogs

Suricata File Engine: Detect pdf and exe downloads...

PacketInspectorPacketInspector

Intergalactic Commander
+13
This plugin takes advantage of the file engine inside suricata.  It will create a siem event when it sees a pdf or windows exe file downloaded.  Most of the time it will include the MD5 so you can look it up.

Notes:
  • You will need to modify /etc/suricata/suricata.yaml.  The config is included in the plugin cfg file
  • Updates will likely overwrite your changes to the yaml config
  • The log file for this plugin: /var/log/suricata/files-json.log can get HUGE on a large network. Be sure it is in logrotate.
  • Be sure the plugin id I use does not interfere with one you already have


LBarraco
Tagged:

Share post:

This discussion has been closed.