Project

General

Profile

Actions
Copy link

Bug #2500

closed
EB EB

stored will always equal false in fileinfo events

Bug #2500: stored will always equal false in fileinfo events

Added by Elazar Broad almost 8 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Elazar Broad
Target version:
TBD
Affected Versions:
4.1rc1
Effort:
Difficulty:
Label:

Description

'stored' will always evaluate to false in fileinfo events (when force file store of all files is off) due to the fact that we close the file before evaluating whether to store it (or not). Around line 117 in output-file.c, we check to see if the file's state is greater that opened(likely closed), and if so, we run the file loggers. The issue is that the store/no store evaluation happens after this process, resulting in the flags passed to the logger having no FILE_STORE/FILE_NOSTORE bits set. A possible fix is to add an additional condition to that if statement checking for the existence of either of those flags.

Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Bug #4881: alert event incorrectly log stored filesClosedPhilippe AntoineActions
Actions
Copy link

Also available in: PDF Atom