Project

General

Profile

Actions
Copy link

Bug #410

closed

"flow:established,to_server;" with "filestore" combined in a files.rules

Added by Peter Manev almost 13 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Peter Manev
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

file magic

Files.rules - the rules do not function properly ex. -
(the below rules are from files.rules rule file)
if I use :

#the rule below fires and logs the file, but with "flow:established,to_server;" it does not ...
  1. http://newsroom.cisco.com/dlls/corporate_timeline.pdf - pdf used to test the filestore
    alert http any any -> any any (msg:"FILESTORE pdf"; fileext:"pdf"; filestore; sid:8; rev:1;)
  2. the rule below does not log/fire
    alert http any any -> any any (msg:"FILESTORE pdf"; flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;)
  1. Store all PDF files, regardless of their name.
    #alert http any any -> any any (msg:"FILEMAGIC pdf"; flow:established,to_server; filemagic:"PDF document"; filestore; sid:9; rev:1;)
    #the rule below fires/logs/stores the pdf , but with flow:established,to_server; it does not ... (the rule bove would not fire/store)
    #alert http any any -> any any (msg:"FILEMAGIC pdf"; filemagic:"PDF document"; filestore; sid:9; rev:1;)

so in other words if we have "flow:established,to_server;" with "filestore" combined , even if the file.waldo is ok and suri starts with no errors - it would still neither generate an alert nor store the file.

Thanks

Actions
Copy link

Also available in: Atom PDF