Bug #2483
closedfilemd5 rule blocks/alerts on files not in the list ..
Description
I have been trying to debug this issue for a while, but so far I'm have not been able to pinpoint the root cause, so maybe someone else is seeing this as well?
I have a rule that uses a blacklist (filemd5:blacklist.md5) this works for most of the time flawless, but at times it starts to block/alert on files that are not in the blacklist.
One thing that I could map it against, is during long runs (no reboots), just a lot of restarts of Suricata, that the issue seems to resurface (as it's the only way known to be that enables you to update the hash list used in the rule), but that's just a guess.
Another things that "seems" strange is that they eve log payload for the said alerts is not valid base64 (I log the payload in the base64 format), other "proper" IDS alerts have decodable payload.
So any thoughts about this issue?
https://redmine.openinfosecfoundation.org/issues/2015 that "glongo" has been working on would shed some more insight as it also logs the checksum that Suricata believes it's seeing in the eve log, but it does not solve the underlaying issue ..
OS: Ubuntu 16.04
Suricata: 4.0.4