Project

General

Profile

Actions

Feature #1100

closed

keyword: file_ext keyword

Added by Victor Julien almost 11 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Like fileext, match on file extensions, but act like file_data.

file_ext; content:"exe"; nocase;

Complication is that fileext really just looks at the file name, and checks if the last bytes of it are what the fileext keyword contains, preceded by a dot. Might not be as easy to convert.


Related issues 1 (0 open1 closed)

Related to Suricata - Feature #1099: keyword: file_name keywordClosedVictor JulienActions
Actions #1

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
Actions #2

Updated by Victor Julien over 6 years ago

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to medium
  • Difficulty set to medium
Actions #3

Updated by Victor Julien over 6 years ago

Actions #4

Updated by Andreas Herz almost 6 years ago

  • Assignee set to Community Ticket
Actions #5

Updated by Victor Julien over 5 years ago

  • Status changed from New to Closed
  • Assignee deleted (Community Ticket)
  • Target version deleted (TBD)
  • Effort deleted (medium)
  • Difficulty deleted (medium)

This won't be added. #1099 added 'file.name'. Combine this with 'endswith' to get the same effect. E.g.

file.name; content:".exe"; endswith;

Actions

Also available in: Atom PDF