Bug #437
closedfilemagic / libmagic inconsistent between releases
Description
See http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/15224
The issue is that the installed libmagic versions can return different results for the same file. This doesn't make libmagic/filemagic useless, but it does make it very hard to use for a ruleset like ET.
Possible solutions:
- ship/integrate libmagic so we always use the right version
- ship our own set of definitions for each libmagic version
- write our own file identify code (http://www.garykessler.net/library/file_sigs.html)
Updated by Victor Julien over 12 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to TBD
Updated by Andreas Herz almost 9 years ago
Is this still an issue? Maybe we could gather a list of versions running on the distros to compare the file info.
Updated by Peter Manev almost 9 years ago
The challenge here is that this is OS/libmagic version dependent(that changes dynamically) - if we start generating and cross referencing lists we might find ourselves into administrative nightmare I fear.
I like Victor's first suggestion (above) in terms of consistency.
Thoughts?
Updated by Andreas Herz almost 9 years ago
Some related informations also in #1268
Updated by Victor Julien almost 8 years ago
- Status changed from Assigned to New
- Assignee changed from Victor Julien to OISF Dev
Updated by Andreas Herz over 7 years ago
- Related to Feature #886: bromagic support added
Updated by Andreas Herz over 7 years ago
Would this solve #886 as well or did you have something else in mind with that ticket?
Updated by Victor Julien over 6 years ago
- Assignee changed from OISF Dev to Anonymous
Updated by Andreas Herz over 5 years ago
- Status changed from New to Feedback
Ping to team for feedback :)
Updated by Victor Julien almost 2 years ago
- Related to Feature #5894: file: file classification keyword added
Updated by Philippe Antoine over 1 year ago
I would say that this should be documented as a limitation (maybe it is already) and kept that way.
Updated by Juliana Fajardini Reichow over 1 year ago
This PR adds a note about this: https://github.com/OISF/suricata/pull/9245/files
Do we want something more elaborated?
Updated by Philippe Antoine over 1 year ago
- Status changed from Feedback to Rejected
This is the intrinsic functionality of filemagic
keyword and documented as such
To get something static, we should write a new keyword...