Actions
Bug #410
closed"flow:established,to_server;" with "filestore" combined in a files.rules
Affected Versions:
Effort:
Difficulty:
Label:
Description
file magic
Files.rules - the rules do not function properly ex. -
(the below rules are from files.rules rule file)
if I use :
- http://newsroom.cisco.com/dlls/corporate_timeline.pdf - pdf used to test the filestore
alert http any any -> any any (msg:"FILESTORE pdf"; fileext:"pdf"; filestore; sid:8; rev:1;) - the rule below does not log/fire
alert http any any -> any any (msg:"FILESTORE pdf"; flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
- Store all PDF files, regardless of their name.
#alert http any any -> any any (msg:"FILEMAGIC pdf"; flow:established,to_server; filemagic:"PDF document"; filestore; sid:9; rev:1;)
#the rule below fires/logs/stores the pdf , but with flow:established,to_server; it does not ... (the rule bove would not fire/store)
#alert http any any -> any any (msg:"FILEMAGIC pdf"; filemagic:"PDF document"; filestore; sid:9; rev:1;)
so in other words if we have "flow:established,to_server;" with "filestore" combined , even if the file.waldo is ok and suri starts with no errors - it would still neither generate an alert nor store the file.
Thanks
Updated by Victor Julien over 12 years ago
The goal of that rule was to store a file with a pdf extension only if it's uploaded to a server. Did you try that?
Updated by Peter Manev over 12 years ago
This is my fault.
I mixed up the keyword.
I will confirm the correctness of the rule and report back.
thanks
Updated by Victor Julien over 12 years ago
- Status changed from New to Assigned
- Assignee set to Peter Manev
Cool. Please close the ticket if you confirm there not to be a bug.
Updated by Peter Manev about 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Not an issue.
Actions