Project

General

Profile

Actions

Documentation #7355

open

Non working signatures in filestore explanation

Added by Eric Leblond about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

On https://docs.suricata.io/en/latest/file-extraction/file-extraction.html

There is a series of example on the extracting file from a blacklist:

alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:6; rev:1;)

This can not properly work as if the file is too big, the match will happen at the end so the file storing will not be done early enough.

As a side note: it seems that running this example, we can have an empty file extracted to the correct sha256 file.

No data to display

Actions

Also available in: Atom PDF