Feature #2213
closed
file matching: allow generic file matching / store
Added by Victor Julien about 7 years ago.
Updated 12 months ago.
Description
Currently if you want to match on all protocols Suricata supports for file matching you need a rule for each protocol:
alert http .... filename:"blah";
alert smtp .... filename:"blah";
...
Perhaps 'alert tcp ... filename:"blah"' would be enough.
Or perhaps use 'alert file ... filename:"blah"' as a special protocol.
- Assignee set to OISF Dev
- Target version set to TBD
If we want to stay consistent I would prefer alert ip so it's similiar to normal rules.
This feature is also a bug as there is no warning on a rule like:
alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;)
Which is a non working rule.
Please open a separate ticket for that.
- Related to Bug #2249: rule with file keyword used with ip or tcp not seen as invalid added
- Status changed from New to Closed
alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;) is working now
Also available in: Atom
PDF