I had this idea, that if tcpxtract can carve out files from your network traffic, it might be combined with ClamAV (clamscan) to check the files for viruses. This is probably done before, and all web-proxy servers that scans the web content does this in some way.
But my thought was to combine this with Sguil, so that the result would be reported to the F8 monkeys in a form such as:
$SRC_IP:$SRC_PORT -> $DST_IP:$DST_PORT : $FILE_TYPE, $VIRUS_TYPE
Clicking on the “Alert ID” will give one a transcript of the session, as usually or something…
tcpxtract has an output like this:
Found file of type “jpg” in session [22.214.171.124:20480 -> 126.96.36.199:29620], exporting to /tmp/tcpxtract/spool/00000048.jpg
In my PoC I then mv the files over to a check dir, and clamscan gives output like this:
# clamscan –no-summary /tmp/tcpxtract/check/
/tmp/tcpxtract/check/00000048.jpg: Eicar-Test-Signature FOUND
My plan was to correlate info from the two logfiles from clamscan and tcpxtract and then gather it in a 3rd logfile for a sguil_agent to pick up, and send to sguil.
My Prof of Concept (PoC) stops here, as tcpxtract does not run for very long on my Ubuntu Hardy test server, before it segfaults on my ass I found two patches for tcpxtract, but I have not had time and strength (I’m rather sick at the moment) to check them out.
The story might continue…