Feature #3296
open
Include in the fileinfo if it was a duplicate
Added by Andreas Herz almost 5 years ago.
Updated almost 4 years ago.
Description
In filestore v2 files are stored by their sha256. When it finds a duplicate, it will only update the timestamp.
I think the request here is to log in some way the number of times this file was already seen.
Related issues
1 (1 open — 0 closed)
- Parent task deleted (
#3288)
- Related to Task #3288: Suricon 2019 brainstorm added
- Description updated (diff)
- Status changed from New to Feedback
- Assignee changed from Community Ticket to Stian Bergseth
Stian, IIRC you brought this up. Could you describe what you are after a bit more?
I did not bring it up actually :)
But iirc the wanted feature was to update the metainfo in filestore with first seen, last seen and how many times seen. I guess that should not be too complicated?
- Assignee changed from Stian Bergseth to Community Ticket
Hah, sorry! Doesn't sound over complicated, although I'm not sure what would happen if multiple threads would try to rewrite this file at the same time.
From my notes it was to simply create a flag in the fileinfo entry that it was a dup. I think its simple enough. Of course, we'd only catch this case if the file was seen multiple times within your retention window.
It seems this is something that could be inferred from the fileinfo eve logs
Also available in: Atom
PDF