Bug #2500
closedstored will always equal false in fileinfo events
Description
'stored' will always evaluate to false in fileinfo events (when force file store of all files is off) due to the fact that we close the file before evaluating whether to store it (or not). Around line 117 in output-file.c, we check to see if the file's state is greater that opened(likely closed), and if so, we run the file loggers. The issue is that the store/no store evaluation happens after this process, resulting in the flags passed to the logger having no FILE_STORE/FILE_NOSTORE bits set. A possible fix is to add an additional condition to that if statement checking for the existence of either of those flags.
Updated by Elazar Broad over 6 years ago
Possible solution: https://github.com/OISF/suricata/pull/3364
Updated by Andreas Herz over 6 years ago
- Assignee set to Elazar Broad
- Target version set to TBD
Updated by Elazar Broad over 6 years ago
Make that: https://github.com/OISF/suricata/pull/3366
Updated by Andrea Di Pasquale over 5 years ago
I can confirm this bug, in fact, checking ff->state > FILE_STATE_OPENED (src/output-file.c, OutputFileLogFfc()) is not sufficient condition for triggering file information logging when signature's filestore keyword is in, because small files can end up here before the detection phase (in that case we'll have FILE_STATE_CLOSED flag set but no FILE_STORE flag set, because it can't be set before the detection phase), causing storing information to be inconsistent between OutputFileLogger and OutputFiledataLogger. In this case, we'll have a fileinfo event with "stored=false" and no file_id information in JSON log; but a file extracted and stored in the disk.
Updated by Victor Julien over 5 years ago
It would be good to have a test case. Can you add one to suricata-verify? https://github.com/OISF/suricata-verify
Updated by Philippe Antoine over 1 year ago
- Status changed from New to Closed
duplicate of #4881 which has a PR associated to it, right ?
Updated by Philippe Antoine over 1 year ago
- Is duplicate of Bug #4881: alert event incorrectly log stored files added