Actions
Bug #7357
openfilestore keyword option seems not to work
Affected Versions:
Effort:
Difficulty:
Label:
Description
with the same condition described in https://redmine.openinfosecfoundation.org/issues/7356, it seems we have problem with the filestore keyword options:
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; sid:1; rev:1;)
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; filestore:both,flow; sid:2; rev:1;)
Signature 1 is alerting and signature 2 is not although we have the option to store all files on the flow. Also extraction is not done.
Updated by Eric Leblond about 2 months ago
- Related to Bug #7356: Unexpected effect of filestore keyword added
Updated by Eric Leblond about 2 months ago
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Eric Leblond
Updated by Eric Leblond about 2 months ago
In https://github.com/OISF/suricata-verify/pull/2111 filestore-v2.11-with-option is testing the problem.
Actions