7. File reconstruction capability

Some files on the GCap are reconstructed based on protocols (HTTP and SMTP). This can be selected on the GCenter.

The generation of some automatic rules does not work on GCenter 2.5.3.100 with version 2.5.3.104 of GCap. This is due to a version compatibility issue between the two devices. The issue will be fixed in version 2.5.3.105 of GCap.

In order to circumvent this, it is necessary to manually create the appropriate rules for the protocols and add them to the probe. You must use one file reconstruction rule per extension.

Protocol list is the following

• HTTP

• SMTP

• FTP

• SMB

The administrator has the possibility to add a local rule from the menu Adv Config.

For FTP and SMB protocol, rules syntax is the following :

alert ftp-data any any -> any any (msg:"[ Message regle FTP ] FTP filestore all"; filestore; ftpdata_command:retr; sid:13371340; rev:1;)

alert smb any any -> any any (msg:"[ Message regle SMB ] SMB filestore all"; filestore; ftpdata_command:retr; sid:13371341; rev:1;)

Note

In the FTP rule, the syntax ftp-data must be used