Actions
Bug #4881
closedalert event incorrectly log stored files
Description
When an alert is using filestore, the stored files are not marked as such:
"files": [ { "sid": [ 3 ], "tx_id": 0, "gaps": false, "size": 1188, "state": "UNKNOWN", "filename": "/~lds/b.apkg", "stored": false } ],
Updated by Victor Julien almost 3 years ago
- Description updated (diff)
- Status changed from New to Assigned
- Target version changed from 6.0.5 to 7.0.0-beta1
Updated by Victor Julien over 2 years ago
Is the file store module enabled? It will only be set to true if it was actually stored.
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to TBD
Updated by Victor Julien about 2 years ago
- Status changed from Assigned to Feedback
Updated by Eric Leblond about 2 years ago
Victor Julien wrote in #note-2:
Is the file store module enabled? It will only be set to true if it was actually stored.
I think so in the reported case but I also see the same in a test I have just done today with latest master.
Updated by Eric Leblond about 2 years ago
Using the signature
alert http any any -> any any (msg:"COwboys"; metadata: training suricata; sid:1; rev:1; http.content_type; content:"application"; filestore;)
on the MTA pcap there https://www.malware-traffic-analysis.net/2020/03/04/index.html
is triggering the issue.
Updated by Eric Leblond about 2 years ago
Added test: https://github.com/OISF/suricata-verify/pull/965
Updated by Victor Julien about 2 years ago
- Status changed from Feedback to Assigned
- Assignee changed from Eric Leblond to Victor Julien
- Target version changed from TBD to 7.0.0-rc1
Updated by Philippe Antoine almost 2 years ago
- Status changed from Assigned to In Review
- Assignee changed from Victor Julien to Philippe Antoine
Why did you take this Victor ?
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Updated by Philippe Antoine over 1 year ago
- Has duplicate Bug #2500: stored will always equal false in fileinfo events added
Updated by Philippe Antoine over 1 year ago
- Target version changed from 8.0.0-beta1 to 7.0.0
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0 to 7.0.1
Updated by Philippe Antoine over 1 year ago
- Status changed from In Review to Closed
Actions