filestore rules are loaded without warning when filestore is not enabled
Not sure what is best - warning or to handle it similar to https://redmine.openinfosecfoundation.org/issues/3204.
pevma@DonPedro:~/Work/Suricata/QA/tmp$ cat test-fs.rules alert http any any -> any any (msg:"test http filestore"; file.name; content:".exe"; filestore; sid:10; rev:1;) pevma@DonPedro:~/Work/Suricata/QA/tmp$ sudo /opt/suritest/bin/suricata -T -S test-fs.rules  11/12/2019 -- 12:18:49 - (suricata.c:1905) <Info> (ParseCommandLine) -- Running suricata under test mode  11/12/2019 -- 12:18:49 - (suricata.c:1083) <Notice> (LogVersion) -- This is Suricata version 5.0.1-dev (eceb7dcba 2019-12-10) running in SYSTEM mode  11/12/2019 -- 12:18:50 - (suricata.c:3060) <Notice> (main) -- Configuration provided was successfully loaded. Exiting. pevma@DonPedro:~/Work/Suricata/QA/tmp$ sudo /opt/suritest/bin/suricata --dump-config |grep store outputs.5 = tls-store outputs.5.tls-store = (null) outputs.5.tls-store.enabled = no outputs.12 = file-store outputs.12.file-store = (null) outputs.12.file-store.version = 2 outputs.12.file-store.enabled = no outputs.12.file-store.xff = (null) outputs.12.file-store.xff.enabled = no outputs.12.file-store.xff.mode = extra-data outputs.12.file-store.xff.deployment = reverse outputs.12.file-store.xff.header = X-Forwarded-For outputs.13 = file-store outputs.13.file-store = (null) outputs.13.file-store.enabled = no pevma@DonPedro:~/Work/Suricata/QA/tmp$
Updated by Victor Julien almost 3 years ago
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version set to 5.0.2
I'm trying to think what good default behavior would be. I think fully rejecting the rules could be too harsh, as some ppl might add it to just store the file if filestore is enabled, but otherwise just get an alert. So perhaps a warning would be best.
Maybe a special case would be a rule that is 'noalert' and has no other side effects (e.g. setting a flowbit). Those can probably be rejected.
Lets start with a warning. Should probably be a one time warning to avoid flooding the log if a large ruleset uses the filestore keyword.