Project

General

Profile

Actions
Copy link

Feature #1100

closed
VJ

keyword: file_ext keyword

Feature #1100: keyword: file_ext keyword

Added by Victor Julien about 12 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Like fileext, match on file extensions, but act like file_data.

file_ext; content:"exe"; nocase;

Complication is that fileext really just looks at the file name, and checks if the last bytes of it are what the fileext keyword contains, preceded by a dot. Might not be as easy to convert.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #1099: keyword: file_name keywordClosedVictor JulienActions

AH Updated by Andreas Herz over 10 years ago Actions
Copy link
 #1

  • Assignee set to OISF Dev

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #2

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to medium
  • Difficulty set to medium

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #3

AH Updated by Andreas Herz about 7 years ago Actions
Copy link
 #4

  • Assignee set to Community Ticket

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #5

  • Status changed from New to Closed
  • Assignee deleted (Community Ticket)
  • Target version deleted (TBD)
  • Effort deleted (medium)
  • Difficulty deleted (medium)

This won't be added. #1099 added 'file.name'. Combine this with 'endswith' to get the same effect. E.g.

file.name; content:".exe"; endswith;

Actions
Copy link

Also available in: PDF Atom