Exe Capture in Stream

From John Ives: The ability to pull files out of the stream in real-time. e.g. If a user attempts to download a file named codec.exe pull a copy of that file from the tcp stream and send it to a AV/sandbox. If used with a sandbox it would mean that, in essence, each client on the network would become a sort of honeyclient, identifying malware during normal activity. (of course this is of particular interest to me since I am slowly building scripts to do something similar - though not in real time - using our existing IDS infrastructure and some of my own rules).

There are tools and even a preproc for snort that can do this to some degree. It's relatively high load, but in an environment where these things could be threaded I think it's more feasible. It'd certainly not be realtime once an entire stream were capture, exe extracted and assembled. But this is definitely valuable when resources permit. Possibly have a load threshold where this step is skipped when the sensor is in trouble?

Conversely, possibly have an MD5 check against a blacklist/whitelist. If it matches either it does not go for further examination.

-- MattJonkman - 17 Oct 2008