Bug #2500
closed
stored will always equal false in fileinfo events
Added by Elazar Broad almost 6 years ago.
Updated 10 months ago.
Description
'stored' will always evaluate to false in fileinfo events (when force file store of all files is off) due to the fact that we close the file before evaluating whether to store it (or not). Around line 117 in output-file.c, we check to see if the file's state is greater that opened(likely closed), and if so, we run the file loggers. The issue is that the store/no store evaluation happens after this process, resulting in the flags passed to the logger having no FILE_STORE/FILE_NOSTORE bits set. A possible fix is to add an additional condition to that if statement checking for the existence of either of those flags.
- Assignee set to Elazar Broad
- Target version set to TBD
I can confirm this bug, in fact, checking ff->state > FILE_STATE_OPENED (src/output-file.c, OutputFileLogFfc()) is not sufficient condition for triggering file information logging when signature's filestore keyword is in, because small files can end up here before the detection phase (in that case we'll have FILE_STATE_CLOSED flag set but no FILE_STORE flag set, because it can't be set before the detection phase), causing storing information to be inconsistent between OutputFileLogger and OutputFiledataLogger. In this case, we'll have a fileinfo event with "stored=false" and no file_id information in JSON log; but a file extracted and stored in the disk.
- Status changed from New to Closed
duplicate of #4881 which has a PR associated to it, right ?
- Is duplicate of Bug #4881: alert event incorrectly log stored files added
Also available in: Atom
PDF