Project

General

Profile

Actions
Copy link

Feature #2213

closed

file matching: allow generic file matching / store

Added by Victor Julien over 6 years ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Currently if you want to match on all protocols Suricata supports for file matching you need a rule for each protocol:

alert http .... filename:"blah";
alert smtp .... filename:"blah";
...

Perhaps 'alert tcp ... filename:"blah"' would be enough.
Or perhaps use 'alert file ... filename:"blah"' as a special protocol.

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #2249: rule with file keyword used with ip or tcp not seen as invalidRejectedOISF DevActions
Actions
Copy link
 #1

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD

If we want to stay consistent I would prefer alert ip so it's similiar to normal rules.

Actions
Copy link
 #2

Updated by Eric Leblond over 6 years ago

This feature is also a bug as there is no warning on a rule like:

alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;)

Which is a non working rule.

Actions
Copy link
 #3

Updated by Victor Julien over 6 years ago

Please open a separate ticket for that.

Actions
Copy link
 #4

Updated by Victor Julien over 4 years ago

  • Related to Bug #2249: rule with file keyword used with ip or tcp not seen as invalid added
Actions
Copy link
 #5

Updated by Philippe Antoine 6 months ago

  • Status changed from New to Closed

alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;) is working now

Actions
Copy link

Also available in: Atom PDF