Project

General

Profile

Actions
Copy link

Bug #2249

closed

rule with file keyword used with ip or tcp not seen as invalid

Added by Eric Leblond about 7 years ago. Updated 12 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
low
Difficulty:
medium
Label:

Description

Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:

alert ip any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 1; rev: 1;)
alert tcp any any -> any any (msg:"guess what"; filemd5:test.md5; sid: 2; rev: 1;)

But Suricata does not complain about it.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2213: file matching: allow generic file matching / storeClosedOISF DevActions
Actions
Copy link
 #1

Updated by Andreas Herz about 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Andreas Herz over 5 years ago

  • Effort set to low
  • Difficulty set to medium
Actions
Copy link
 #3

Updated by Victor Julien about 5 years ago

  • Related to Feature #2213: file matching: allow generic file matching / store added
Actions
Copy link
 #4

Updated by Philippe Antoine 12 months ago

  • Status changed from New to Rejected

Currently signature using ip and tcp and using a file keyword like filemd5 are not valid in the sense they will not match:

They can match on whatever protocol use files, looks legit, right Eric ?

Actions
Copy link

Also available in: Atom PDF