Project

General

Profile

Actions
Copy link

Bug #7357

open
EL EL

filestore keyword option seems not to work

Bug #7357: filestore keyword option seems not to work

Added by Eric Leblond over 1 year ago. Updated 9 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Eric Leblond
Target version:
TBD
Affected Versions:
git main
Effort:
Difficulty:
Label:

Description

with the same condition described in https://redmine.openinfosecfoundation.org/issues/7356, it seems we have problem with the filestore keyword options:

alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; sid:1; rev:1;)
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; filestore:both,flow; sid:2; rev:1;)

Signature 1 is alerting and signature 2 is not although we have the option to store all files on the flow. Also extraction is not done.

Related issues 2 (1 open1 closed)

Related to Suricata - Bug #7356: Unexpected effect of filestore keywordFeedbackOISF DevActions
Related to Suricata - Feature #5665: rules: bidirectional transaction matchingClosedPhilippe AntoineActions

EL Updated by Eric Leblond over 1 year ago Actions
Copy link
 #1

  • Related to Bug #7356: Unexpected effect of filestore keyword added

EL Updated by Eric Leblond over 1 year ago Actions
Copy link
 #2

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Eric Leblond

EL Updated by Eric Leblond over 1 year ago Actions
Copy link
 #3

In https://github.com/OISF/suricata-verify/pull/2111 filestore-v2.11-with-option is testing the problem.

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #4

  • Related to Feature #5665: rules: bidirectional transaction matching added

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #6

  • Status changed from In Progress to Feedback

Discussion about expected behavior in SV PR

Actions
Copy link

Also available in: PDF Atom