Feature #1468
closedFile extension : fileext rule protocol support
Description
Hello Team,
We use combination of Squid + Suricata version 2.0.7 inline[nfqueue].
With IPS rule we achieve perfect block of file download for all kind of supported extensions.
E.g :
drop ip any any <> 27.12.12.14 any (msg:"TCP_DENIED File Extension exe under Banned_Patterns for VPN-user2 "; fileext:"exe"; sid:83879519;rev:1;)
Newer latest beta version support only HTTP type of rule and due to this not able to achieve blocking of file download.
drop http any any <> 27.12.12.14 any (msg:"TCP_DENIED File Extension exe under Banned_Patterns for VPN-user2 "; fileext:"exe"; sid:83879519;rev:1;)
Error:
11/5/2015 -- 15:51:13 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
Kindly review it and add support to TCP,UDP & IP rules for fileext on 2.1 version
Updated by Peter Manev almost 9 years ago
Which rule exactly gives that err that you report?
File extraction in general is available only in http and smtp at the moment.
Updated by Andreas Herz over 7 years ago
- Tracker changed from Bug to Feature
- Assignee set to OISF Dev
- Target version set to TBD
The first rule triggers the error, since it won't work with 3.x tocombine fileext and "ip".
Updated by Andreas Herz almost 6 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs