Project

General

Profile

Actions
Copy link

Feature #1100

closed

keyword: file_ext keyword

Added by Victor Julien about 10 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Like fileext, match on file extensions, but act like file_data.

file_ext; content:"exe"; nocase;

Complication is that fileext really just looks at the file name, and checks if the last bytes of it are what the fileext keyword contains, preceded by a dot. Might not be as easy to convert.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #1099: keyword: file_name keywordClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Andreas Herz over 8 years ago

  • Assignee set to OISF Dev
Actions
Copy link
 #2

Updated by Victor Julien almost 6 years ago

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to medium
  • Difficulty set to medium
Actions
Copy link
 #3

Updated by Victor Julien almost 6 years ago

Actions
Copy link
 #4

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions
Copy link
 #5

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Closed
  • Assignee deleted (Community Ticket)
  • Target version deleted (TBD)
  • Effort deleted (medium)
  • Difficulty deleted (medium)

This won't be added. #1099 added 'file.name'. Combine this with 'endswith' to get the same effect. E.g.

file.name; content:".exe"; endswith;

Actions
Copy link

Also available in: Atom PDF