Project

General

Profile

Actions

Optimization #3406

closed

filestore rules are loaded without warning when filestore is not enabled

Added by Peter Manev about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Not sure what is best - warning or to handle it similar to https://redmine.openinfosecfoundation.org/issues/3204.

pevma@DonPedro:~/Work/Suricata/QA/tmp$ cat test-fs.rules 
alert http any any -> any any (msg:"test http filestore"; file.name; content:".exe"; filestore; sid:10; rev:1;)

pevma@DonPedro:~/Work/Suricata/QA/tmp$ sudo /opt/suritest/bin/suricata -T -S test-fs.rules 
[1305249] 11/12/2019 -- 12:18:49 - (suricata.c:1905) <Info> (ParseCommandLine) -- Running suricata under test mode
[1305249] 11/12/2019 -- 12:18:49 - (suricata.c:1083) <Notice> (LogVersion) -- This is Suricata version 5.0.1-dev (eceb7dcba 2019-12-10) running in SYSTEM mode
[1305249] 11/12/2019 -- 12:18:50 - (suricata.c:3060) <Notice> (main) -- Configuration provided was successfully loaded. Exiting.

pevma@DonPedro:~/Work/Suricata/QA/tmp$ sudo /opt/suritest/bin/suricata --dump-config |grep store
outputs.5 = tls-store
outputs.5.tls-store = (null)
outputs.5.tls-store.enabled = no
outputs.12 = file-store
outputs.12.file-store = (null)
outputs.12.file-store.version = 2
outputs.12.file-store.enabled = no
outputs.12.file-store.xff = (null)
outputs.12.file-store.xff.enabled = no
outputs.12.file-store.xff.mode = extra-data
outputs.12.file-store.xff.deployment = reverse
outputs.12.file-store.xff.header = X-Forwarded-For
outputs.13 = file-store
outputs.13.file-store = (null)
outputs.13.file-store.enabled = no
pevma@DonPedro:~/Work/Suricata/QA/tmp$ 

Actions #1

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 5.0.2

I'm trying to think what good default behavior would be. I think fully rejecting the rules could be too harsh, as some ppl might add it to just store the file if filestore is enabled, but otherwise just get an alert. So perhaps a warning would be best.

Maybe a special case would be a rule that is 'noalert' and has no other side effects (e.g. setting a flowbit). Those can probably be rejected.

Lets start with a warning. Should probably be a one time warning to avoid flooding the log if a large ruleset uses the filestore keyword.

Actions #2

Updated by Victor Julien almost 5 years ago

  • Target version changed from 5.0.2 to 5.0.3
Actions #3

Updated by Victor Julien almost 5 years ago

  • Status changed from Assigned to In Review
Actions #4

Updated by Jeff Lucovsky almost 5 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF