Bug #8183: filestore stores non-matching files in multi-file HTTP transactions - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #8183

open

filestore stores non-matching files in multi-file HTTP transactions

Added by chen chen 3 days ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

TBD

Affected Versions:

6.0.13

Effort:

Difficulty:

Label:

Description

I'm trying to store only files with a .pdf extension using a Suricata rule. However, I've noticed that when a single HTTP transaction contains multiple files (e.g., both .pdf and other types like .txt or .jpg), all files are stored—even those that don’t have a .pdf extension.

Here’s the rule I’m using:
alert http any any -> any any (content:"POST"; http_method; flow:to_server; fileext:"pdf"; filestore; sid:111; rev:1; classtype:file_store; flowbits:noalert;)

A pcap file is attached. Is this expected in my Suricata version, or could it be a bug? I’m using Suricata v6.0.6.

Files

http_post_pdf_and_txt_files.pcap (20.8 KB) http_post_pdf_and_txt_files.pcap

chen chen, 12/29/2025 02:36 AM

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #8183

filestore stores non-matching files in multi-file HTTP transactions