Project

General

Profile

Actions
Copy link

Feature #2213

closed
VJ OD

file matching: allow generic file matching / store

Feature #2213: file matching: allow generic file matching / store

Added by Victor Julien over 8 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Currently if you want to match on all protocols Suricata supports for file matching you need a rule for each protocol:

alert http .... filename:"blah";
alert smtp .... filename:"blah";
...

Perhaps 'alert tcp ... filename:"blah"' would be enough.
Or perhaps use 'alert file ... filename:"blah"' as a special protocol.

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #2249: rule with file keyword used with ip or tcp not seen as invalidRejectedOISF DevActions

AH Updated by Andreas Herz over 8 years ago Actions
Copy link
 #1

  • Assignee set to OISF Dev
  • Target version set to TBD

If we want to stay consistent I would prefer alert ip so it's similiar to normal rules.

EL Updated by Eric Leblond over 8 years ago Actions
Copy link
 #2

This feature is also a bug as there is no warning on a rule like:

alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;)

Which is a non working rule.

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #3

Please open a separate ticket for that.

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #4

  • Related to Bug #2249: rule with file keyword used with ip or tcp not seen as invalid added

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #5

  • Status changed from New to Closed

alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;) is working now

Actions
Copy link

Also available in: PDF Atom