Project

General

Profile

Actions

Bug #2042

closed

Difference protocol of MD5 rule will restart Suricata automatically

Added by Samiux A about 7 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using TCP on the following rule, Suricata will restart itself automatically.

reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)

When using HTTP on the same rule, Suricata will not restart itself automatically.

reject http $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)

Affected : Suricata <= 3.2.1
Expect : produce error message

Actions

Also available in: Atom PDF