Project

General

Profile

Actions
Copy link

Bug #1288

closed

Filestore keyword in wrong place will cause entire rule not to trigger

Added by Antti Tönkyrä over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
2.1beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using filestore keyword I noticed some alerts never triggering even though they should have. After some debugging and investigating I observed the following:

alert http any any -> any any (msg:"parser1"; content:"testnfs"; filestore:both,flow; sid:9;)
alert http any any -> any any (msg:"parser2"; content:"testnfs"; sid:10; filestore:both,flow;)

SID 9 will trigger an alert but SID 10 will not trigger an alert. Changing the order in the rule file will not alter the result either.

Observed on git head (04afcf2717d1d6814a8ac39b5489ef3ce8ff2f0d).

Actions
Copy link
 #1

Updated by Victor Julien over 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 2.1beta2
Actions
Copy link
 #2

Updated by Victor Julien over 9 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF