Feature #3296
openInclude in the fileinfo if it was a duplicate
Description
In filestore v2 files are stored by their sha256. When it finds a duplicate, it will only update the timestamp.
I think the request here is to log in some way the number of times this file was already seen.
Updated by Victor Julien over 4 years ago
- Related to Task #3288: Suricon 2019 brainstorm added
Updated by Victor Julien over 4 years ago
- Description updated (diff)
- Status changed from New to Feedback
- Assignee changed from Community Ticket to Stian Bergseth
Stian, IIRC you brought this up. Could you describe what you are after a bit more?
Updated by Stian Bergseth over 4 years ago
I did not bring it up actually :)
But iirc the wanted feature was to update the metainfo in filestore with first seen, last seen and how many times seen. I guess that should not be too complicated?
Updated by Victor Julien over 4 years ago
- Assignee changed from Stian Bergseth to Community Ticket
Hah, sorry! Doesn't sound over complicated, although I'm not sure what would happen if multiple threads would try to rewrite this file at the same time.
Updated by Jason Ish over 4 years ago
From my notes it was to simply create a flag in the fileinfo entry that it was a dup. I think its simple enough. Of course, we'd only catch this case if the file was seen multiple times within your retention window.
Updated by Victor Julien over 3 years ago
It seems this is something that could be inferred from the fileinfo eve logs