• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Suricata File Engine: Detect pdf and exe downloads...


Intergalactic Commander
This plugin takes advantage of the file engine inside suricata.  It will create a siem event when it sees a pdf or windows exe file downloaded.  Most of the time it will include the MD5 so you can look it up.

  • You will need to modify /etc/suricata/suricata.yaml.  The config is included in the plugin cfg file
  • Updates will likely overwrite your changes to the yaml config
  • The log file for this plugin: /var/log/suricata/files-json.log can get HUGE on a large network. Be sure it is in logrotate.
  • Be sure the plugin id I use does not interfere with one you already have


Share post:

This discussion has been closed.