Project

General

Profile

Bug #2500

stored will always equal false in fileinfo events

Added by Elazar Broad 12 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

'stored' will always evaluate to false in fileinfo events (when force file store of all files is off) due to the fact that we close the file before evaluating whether to store it (or not). Around line 117 in output-file.c, we check to see if the file's state is greater that opened(likely closed), and if so, we run the file loggers. The issue is that the store/no store evaluation happens after this process, resulting in the flags passed to the logger having no FILE_STORE/FILE_NOSTORE bits set. A possible fix is to add an additional condition to that if statement checking for the existence of either of those flags.

History

#2

Updated by Andreas Herz 12 months ago

  • Assignee set to Elazar Broad
  • Target version set to TBD
#4

Updated by Andrea Di Pasquale 2 months ago

I can confirm this bug, in fact, checking ff->state > FILE_STATE_OPENED (src/output-file.c, OutputFileLogFfc()) is not sufficient condition for triggering file information logging when signature's filestore keyword is in, because small files can end up here before the detection phase (in that case we'll have FILE_STATE_CLOSED flag set but no FILE_STORE flag set, because it can't be set before the detection phase), causing storing information to be inconsistent between OutputFileLogger and OutputFiledataLogger. In this case, we'll have a fileinfo event with "stored=false" and no file_id information in JSON log; but a file extracted and stored in the disk.

#5

Updated by Victor Julien 2 months ago

It would be good to have a test case. Can you add one to suricata-verify? https://github.com/OISF/suricata-verify

Also available in: Atom PDF