Project

General

Profile

Actions

Optimization #536

open

share ctx for filemd5 keyword if identical files are used

Added by Peter Manev about 10 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
low
Difficulty:
medium
Label:

Description

if we have the same md5collection file - white-list - and we use that file in two separate rules - currently, as of
1.4dev (rev 75af345)

Suricata loads the two md5collection files separately - even though they are the very same file, with the very same name.

It will be very beneficial if this is handled better, just point to the same file/memloc... since the files are the same.

example:

alert ip any any -> any any (msg:"FILE MD5 Check PDF aginst a white list"; filemagic:pdf; filemd5:!MD5File.txt; sid:9966699; rev:1;)
alert ip any any -> any any (msg:"FILE MD5 Check EXE aginst a white list"; filemagic:exe; filemd5:!MD5File.txt; sid:9977799; rev:2;)

would result in

[3237] 29/8/2012 -- 15:36:40 - (detect.c:670) <Info> (SigLoadSignatures) -- Loading rule file: /var/data/peter/md5test.rules
[3237] 29/8/2012 -- 15:37:21 - (detect-filemd5.c:277) <Info> (DetectFileMd5Parse) -- MD5 hash size 1399625840 bytes, negated match
[3237] 29/8/2012 -- 15:38:00 - (detect-filemd5.c:277) <Info> (DetectFileMd5Parse) -- MD5 hash size 1399625840 bytes, negated match

so if we have 10 MD5 rules using the filemd5 keyword - it is going to be along wait before we can start processing packets.

thanks

Actions #1

Updated by Victor Julien about 10 years ago

  • Subject changed from filemd5 to share ctx for filemd5 keyword if identical files are used
  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to TBD

Yeah had noticed the same, will address this at some point.

Actions #2

Updated by Victor Julien almost 9 years ago

  • Target version changed from TBD to 2.0beta2
Actions #3

Updated by Victor Julien almost 9 years ago

  • Target version changed from 2.0beta2 to 2.0rc1
Actions #4

Updated by Victor Julien almost 9 years ago

  • Tracker changed from Bug to Optimization
Actions #5

Updated by Victor Julien over 8 years ago

  • Target version changed from 2.0rc1 to 3.0RC2

Wondering if we could perhaps create more generic sharing between keywords. Currently if we see content:"abc"; and then in another rule also content:"abc"; we have the same thing in memory twice.

Actions #6

Updated by Victor Julien almost 8 years ago

  • Target version changed from 3.0RC2 to 70
Actions #7

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to New
  • Assignee changed from Victor Julien to OISF Dev
  • Target version changed from 70 to TBD
Actions #8

Updated by Victor Julien about 4 years ago

  • Effort set to low
  • Difficulty set to medium
Actions #9

Updated by Victor Julien about 4 years ago

  • Assignee changed from OISF Dev to Anonymous
Actions #10

Updated by Andreas Herz over 3 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF