Project

General

Profile

Actions

Bug #2249

closed

rule with file keyword used with ip or tcp not seen as invalid

Added by Eric Leblond over 6 years ago. Updated 5 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
medium
Label:

Description

Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:

alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;)
alert tcp any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 2; rev: 1;)

But Suricata does not complain about it.


Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2213: file matching: allow generic file matching / storeClosedOISF DevActions
Actions #1

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Andreas Herz over 4 years ago

  • Effort set to low
  • Difficulty set to medium
Actions #3

Updated by Victor Julien over 4 years ago

  • Related to Feature #2213: file matching: allow generic file matching / store added
Actions #4

Updated by Philippe Antoine 5 months ago

  • Status changed from New to Rejected

Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:

They can match on whatever protocol use files, looks legit, right Eric ?

Actions

Also available in: Atom PDF