Project

General

Profile

Actions
Copy link

Feature #7514

open

rules: add file specific hooks

Added by Victor Julien 10 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Thinking about 3 hooks:
file:new
file:update
file:finish

New would be for checking the name.
Update for data.
Finish for size and hashes.

Since file inspection is still a bit basic, it would require a bit of refactoring of how rule inspection is done.

pass file:new any any -> any any (file.name; file.name; content:".pdf"; nocase; endswith; sid:1;)
drop file:new any any -> any any (msg:"drop non-pdf files"; sid:2;)

Perhaps a special hook would be required for the magic logic? It inspects only the first X bytes IIRC.

Related issues 2 (2 open0 closed)

Related to Suricata - Story #7164: usecase: improve firewall usecaseNewVictor JulienActions
Related to Suricata - Feature #7485: rules: allow specifying explicit hooksIn ProgressVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 10 days ago

  • Related to Story #7164: usecase: improve firewall usecase added
Actions
Copy link
 #2

Updated by Victor Julien 10 days ago

  • Related to Feature #7485: rules: allow specifying explicit hooks added
Actions
Copy link

Also available in: Atom PDF