Suricata

(using the foo.cap attached and previously provided in this mail thread here - https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-August/016080.html )

1)
Using 4.1.0-dev (rev 1f4cd75f) with filestorev2 and having
fileextraction unconditionally enabled (
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L443
un-commented )

I get the 2 PDFs -

locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1:
PDF document, version 1.6
locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa:
PDF document, version 1.4

root@DonPedro:/home/pevma/Work/Suricata/QA/tmp2# ls -lh
locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1
-rw-r--r-- 1 root root 294K Aug 24 16:54
locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1
root@DonPedro:/home/pevma/Work/Suricata/QA/tmp2# ls -lh
locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa
-rw-r--r-- 1 root root 94K Aug 24 16:54
locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa

Disabled fileextraction unconditionally (
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L443
commented back )

and using only this rule -

alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF
document"; filestore; sid:777; rev:1;)
i get no PDF files extracted. (although i should)

Using only this rule however -
alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF";
filestore; sid:666; rev:1;)
I get the two PDFs extracted.

so it seems the only difference is filemagic:"PDF document" and
filemagic:"PDF". (it didnt use to be like that before - you could
just specify filemagic:"PDF document" and that was working as
expected)