Extract filename from HTTP attachment transfers #1970
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please extract the filename from an HTTP attachment file transfer.
An example of this can be found in the ndpi pcap test file exe_download.pcap, in the source tarball 4.4-stable.zip\nDPI-4.4-stable\tests\pcap\exe_download.pcap
Here is a follow tcp stream screen show show the data needed.
The line "Content-Disposition: attachment; filename="phn34ycjtghm.exe"
The filename "phn34ycjtghm.exe" is what is wanted.
In this case use of the URL alone doesn't provide enough context to know what is really happening in this flow
The addition of the filename will better identify suspicious/malicious transfers. Below is an example of a download of a malicious DLL.
The flow risk in both these cases would show that an executable was located in the transfer, but the inclusion of the filename that has the extension .DLL makes the file transfer in the second screenshot much more suspicious and would be more helpful to an analyst.
The text was updated successfully, but these errors were encountered: