Project

General

Profile

Actions
Copy link

Bug #4881

closed
EL PA

alert event incorrectly log stored files

Bug #4881: alert event incorrectly log stored files

Added by Eric Leblond over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.1
Affected Versions:
5.0.8, 6.0.4
Effort:
Difficulty:
Label:

Description

When an alert is using filestore, the stored files are not marked as such:

   "files": [
    {
      "sid": [
        3
      ],
      "tx_id": 0,
      "gaps": false,
      "size": 1188,
      "state": "UNKNOWN",
      "filename": "/~lds/b.apkg",
      "stored": false
    }
  ],

Related issues 1 (0 open1 closed)

Has duplicate Suricata - Bug #2500: stored will always equal false in fileinfo eventsClosedElazar BroadActions

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #1

  • Description updated (diff)
  • Status changed from New to Assigned
  • Target version changed from 6.0.5 to 7.0.0-beta1

VJ Updated by Victor Julien almost 4 years ago Actions
Copy link
 #2

Is the file store module enabled? It will only be set to true if it was actually stored.

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #3

  • Target version changed from 7.0.0-beta1 to TBD

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #4

  • Status changed from Assigned to Feedback

EL Updated by Eric Leblond over 3 years ago Actions
Copy link
 #5

Victor Julien wrote in #note-2:

Is the file store module enabled? It will only be set to true if it was actually stored.

I think so in the reported case but I also see the same in a test I have just done today with latest master.

EL Updated by Eric Leblond over 3 years ago Actions
Copy link
 #6

Using the signature 

alert http any any -> any any (msg:"COwboys"; metadata: training suricata; sid:1; rev:1; http.content_type; content:"application"; filestore;)

on the MTA pcap there https://www.malware-traffic-analysis.net/2020/03/04/index.html

is triggering the issue.

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #8

  • Status changed from Feedback to Assigned
  • Assignee changed from Eric Leblond to Victor Julien
  • Target version changed from TBD to 7.0.0-rc1

PA Updated by Philippe Antoine over 3 years ago Actions
Copy link
 #9

  • Status changed from Assigned to In Review
  • Assignee changed from Victor Julien to Philippe Antoine

Why did you take this Victor ?

https://github.com/OISF/suricata/pull/8321

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
 #10

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
 #11

  • Has duplicate Bug #2500: stored will always equal false in fileinfo events added

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
 #12

  • Target version changed from 8.0.0-beta1 to 7.0.0

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #13

  • Target version changed from 7.0.0 to 7.0.1

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #14

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom