Actions
Bug #2249
closedrule with file keyword used with ip or tcp not seen as invalid
Affected Versions:
Effort:
low
Difficulty:
medium
Label:
Description
Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:
alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;) alert tcp any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 2; rev: 1;)
But Suricata does not complain about it.
Updated by Andreas Herz about 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Andreas Herz over 5 years ago
- Effort set to low
- Difficulty set to medium
Updated by Victor Julien about 5 years ago
- Related to Feature #2213: file matching: allow generic file matching / store added
Updated by Philippe Antoine about 1 year ago
- Status changed from New to Rejected
Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:
They can match on whatever protocol use files, looks legit, right Eric ?
Actions