Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1288

closed

Filestore keyword in wrong place will cause entire rule not to trigger

Added by Antti Tönkyrä about 10 years ago. Updated about 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

2.1beta2

Affected Versions:

Effort:

Difficulty:

Label:

Description

When using filestore keyword I noticed some alerts never triggering even though they should have. After some debugging and investigating I observed the following:

alert http any any -> any any (msg:"parser1"; content:"testnfs"; filestore:both,flow; sid:9;)
alert http any any -> any any (msg:"parser2"; content:"testnfs"; sid:10; filestore:both,flow;)

SID 9 will trigger an alert but SID 10 will not trigger an alert. Changing the order in the rule file will not alter the result either.

Observed on git head (04afcf2717d1d6814a8ac39b5489ef3ce8ff2f0d).

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1288

Filestore keyword in wrong place will cause entire rule not to trigger

Updated by Victor Julien about 10 years ago

Updated by Victor Julien about 10 years ago