Project

General

Profile

Actions

Feature #3296

open

Include in the fileinfo if it was a duplicate

Added by Andreas Herz about 5 years ago. Updated about 4 years ago.

Status:
Feedback
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

In filestore v2 files are stored by their sha256. When it finds a duplicate, it will only update the timestamp.

I think the request here is to log in some way the number of times this file was already seen.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Actions #1

Updated by Victor Julien about 5 years ago

  • Parent task deleted (#3288)
Actions #2

Updated by Victor Julien about 5 years ago

  • Related to Task #3288: Suricon 2019 brainstorm added
Actions #3

Updated by Victor Julien about 5 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Assignee changed from Community Ticket to Stian Bergseth

Stian, IIRC you brought this up. Could you describe what you are after a bit more?

Actions #4

Updated by Stian Bergseth about 5 years ago

I did not bring it up actually :)

But iirc the wanted feature was to update the metainfo in filestore with first seen, last seen and how many times seen. I guess that should not be too complicated?

Actions #5

Updated by Victor Julien about 5 years ago

  • Assignee changed from Stian Bergseth to Community Ticket

Hah, sorry! Doesn't sound over complicated, although I'm not sure what would happen if multiple threads would try to rewrite this file at the same time.

Actions #6

Updated by Jason Ish about 5 years ago

From my notes it was to simply create a flag in the fileinfo entry that it was a dup. I think its simple enough. Of course, we'd only catch this case if the file was seen multiple times within your retention window.

Actions #7

Updated by Victor Julien about 4 years ago

It seems this is something that could be inferred from the fileinfo eve logs

Actions

Also available in: Atom PDF