Project

General

Profile

Actions

Bug #7357

open

filestore keyword option seems not to work

Added by Eric Leblond about 2 months ago. Updated about 2 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

with the same condition described in https://redmine.openinfosecfoundation.org/issues/7356, it seems we have problem with the filestore keyword options:

alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; sid:1; rev:1;)
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; filestore:both,flow; sid:2; rev:1;)

Signature 1 is alerting and signature 2 is not although we have the option to store all files on the flow. Also extraction is not done.


Related issues 1 (1 open0 closed)

Related to Suricata - Bug #7356: Unexpected effect of filestore keywordNewOISF DevActions
Actions #1

Updated by Eric Leblond about 2 months ago

  • Related to Bug #7356: Unexpected effect of filestore keyword added
Actions #2

Updated by Eric Leblond about 2 months ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Eric Leblond
Actions #3

Updated by Eric Leblond about 2 months ago

In https://github.com/OISF/suricata-verify/pull/2111 filestore-v2.11-with-option is testing the problem.

Actions

Also available in: Atom PDF