Bug #437
closedfilemagic / libmagic inconsistent between releases
Description
See http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/15224
The issue is that the installed libmagic versions can return different results for the same file. This doesn't make libmagic/filemagic useless, but it does make it very hard to use for a ruleset like ET.
Possible solutions:
- ship/integrate libmagic so we always use the right version
- ship our own set of definitions for each libmagic version
- write our own file identify code (http://www.garykessler.net/library/file_sigs.html)
VJ Updated by Victor Julien almost 14 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to TBD
AH Updated by Andreas Herz over 10 years ago
Is this still an issue? Maybe we could gather a list of versions running on the distros to compare the file info.
PM Updated by Peter Manev over 10 years ago
The challenge here is that this is OS/libmagic version dependent(that changes dynamically) - if we start generating and cross referencing lists we might find ourselves into administrative nightmare I fear.
I like Victor's first suggestion (above) in terms of consistency.
Thoughts?
AH Updated by Andreas Herz about 10 years ago
Some related informations also in #1268
VJ Updated by Victor Julien about 9 years ago
- Status changed from Assigned to New
- Assignee changed from Victor Julien to OISF Dev
AH Updated by Andreas Herz almost 9 years ago
- Related to Feature #886: bromagic support added
AH Updated by Andreas Herz almost 9 years ago
Would this solve #886 as well or did you have something else in mind with that ticket?
VJ Updated by Victor Julien over 7 years ago
- Assignee changed from OISF Dev to Anonymous
AH Updated by Andreas Herz about 7 years ago
- Assignee set to Community Ticket
AH Updated by Andreas Herz over 6 years ago
- Status changed from New to Feedback
Ping to team for feedback :)
VJ Updated by Victor Julien about 3 years ago
- Related to Feature #5894: file: file classification keyword added
PA Updated by Philippe Antoine almost 3 years ago
I would say that this should be documented as a limitation (maybe it is already) and kept that way.
JF Updated by Juliana Fajardini Reichow over 2 years ago
This PR adds a note about this: https://github.com/OISF/suricata/pull/9245/files
Do we want something more elaborated?
PA Updated by Philippe Antoine over 2 years ago
- Status changed from Feedback to Rejected
This is the intrinsic functionality of filemagic keyword and documented as such
To get something static, we should write a new keyword...