Project

General

Profile

Actions
Copy link

Bug #2966

closed

filestore (v1 and v2): dropping of "unwanted" files (4.1.x)

Added by Victor Julien over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1.5
Affected Versions:
4.1.2, 4.1.3, 4.1.4
Effort:
low
Difficulty:
low
Label:

Description

when using the filestore option in combination with e.g. magic filter some files whose magic do not match are dropped as well.

the reason for this is a small bug or typo in FileStoreFileById (util-file.c) and DetectFilestoreMatch (detect-filestore.c).

instead of using the file_track_id the file_store_id is used. file_store_id however is always 0 and only incremented if a file gets dropped. thus
all files of a FileContainer get dropped even if only one file was selected for dropping according to the rules.

Files

Download all files
suricata.yaml (73.9 KB) suricata.yaml Andreas Herz, 04/17/2019 07:08 AM
extract.pcap (2.75 MB) extract.pcap Andreas Herz, 04/17/2019 07:08 AM
extract-magic.rules (117 Bytes) extract-magic.rules Andreas Herz, 04/17/2019 07:09 AM
extracthttp.pcap (70.4 KB) extracthttp.pcap Andreas Herz, 04/18/2019 08:47 AM

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #2853: filestore (v1 and v2): dropping of "unwanted" filesClosedmagen blutenActions
Actions
Copy link

Also available in: Atom PDF