Virus Total Scanner

With the newly added Virus Total File extraction scanner, you have the capability of scanning .exe, .zip, and .php files to check if any malicious filetypes were downloaded on your LAN.

Video Demo: https://youtu.be/0Q8B9atBaFs

How it works

While Suricata pulls in packets it simultaneously looks for files within those packets and extracts them for you. These get placed here: /var/log/suricata/files/

This MUST be configured in the suricata.yaml file prior to using the new Virus Total Scan Feature. Here's how to enable it:

sudo nano /opt/suricata/etc/suricata/suricata.yaml

find this section in the config:

• file-store:
  enabled: yes # set to yes to enable
  log-dir: files # directory to store the files
  force-magic: no # force logging magic on all stored files
  force-md5: no # force logging of md5 checksums
  force-filestore: yes # force storing of all files
  #waldo: file.waldo # waldo file to store the file_id across runs
  
  make yours look like mine.

last add the rule itself into Suricata's rules folder:

sudo nano /opt/suricata/etc/suricata/rules/files.rules
alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)

save the newly created rule and that's it! Run BriarIDS to try out the new feature