Project

General

Profile

Actions
Copy link

Bug #2249

closed
EL OD

rule with file keyword used with ip or tcp not seen as invalid

Bug #2249: rule with file keyword used with ip or tcp not seen as invalid

Added by Eric Leblond over 8 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
low
Difficulty:
medium
Label:

Description

Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:

alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;)
alert tcp any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 2; rev: 1;)

But Suricata does not complain about it.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2213: file matching: allow generic file matching / storeClosedOISF DevActions

AH Updated by Andreas Herz over 8 years ago Actions
Copy link
 #1

  • Assignee set to OISF Dev
  • Target version set to TBD

AH Updated by Andreas Herz almost 7 years ago Actions
Copy link
 #2

  • Effort set to low
  • Difficulty set to medium

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #3

  • Related to Feature #2213: file matching: allow generic file matching / store added

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #4

  • Status changed from New to Rejected

Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:

They can match on whatever protocol use files, looks legit, right Eric ?

Actions
Copy link

Also available in: PDF Atom