Project

General

Profile

Actions
Copy link

Bug #2042

closed
SA CT

Difference protocol of MD5 rule will restart Suricata automatically

Bug #2042: Difference protocol of MD5 rule will restart Suricata automatically

Added by Samiux A about 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using TCP on the following rule, Suricata will restart itself automatically.

reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)

When using HTTP on the same rule, Suricata will not restart itself automatically.

reject http $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)

Affected : Suricata <= 3.2.1
Expect : produce error message

Actions
Copy link

Also available in: PDF Atom