Project

General

Profile

Actions
Copy link

Bug #4881

closed

alert event incorrectly log stored files

Added by Eric Leblond almost 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.1
Affected Versions:
5.0.8, 6.0.4
Effort:
Difficulty:
Label:

Description

When an alert is using filestore, the stored files are not marked as such:

   "files": [
    {
      "sid": [
        3
      ],
      "tx_id": 0,
      "gaps": false,
      "size": 1188,
      "state": "UNKNOWN",
      "filename": "/~lds/b.apkg",
      "stored": false
    }
  ],

Related issues 1 (0 open1 closed)

Has duplicate Suricata - Bug #2500: stored will always equal false in fileinfo eventsClosedElazar BroadActions
Actions
Copy link
 #1

Updated by Victor Julien almost 3 years ago

  • Description updated (diff)
  • Status changed from New to Assigned
  • Target version changed from 6.0.5 to 7.0.0-beta1
Actions
Copy link
 #2

Updated by Victor Julien over 2 years ago

Is the file store module enabled? It will only be set to true if it was actually stored.

Actions
Copy link
 #3

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to TBD
Actions
Copy link
 #4

Updated by Victor Julien about 2 years ago

  • Status changed from Assigned to Feedback
Actions
Copy link
 #5

Updated by Eric Leblond about 2 years ago

Victor Julien wrote in #note-2:

Is the file store module enabled? It will only be set to true if it was actually stored.

I think so in the reported case but I also see the same in a test I have just done today with latest master.

Actions
Copy link
 #6

Updated by Eric Leblond about 2 years ago

Using the signature 

alert http any any -> any any (msg:"COwboys"; metadata: training suricata; sid:1; rev:1; http.content_type; content:"application"; filestore;)

on the MTA pcap there https://www.malware-traffic-analysis.net/2020/03/04/index.html

is triggering the issue.

Actions
Copy link
 #8

Updated by Victor Julien about 2 years ago

  • Status changed from Feedback to Assigned
  • Assignee changed from Eric Leblond to Victor Julien
  • Target version changed from TBD to 7.0.0-rc1
Actions
Copy link
 #9

Updated by Philippe Antoine almost 2 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Victor Julien to Philippe Antoine

Why did you take this Victor ?

https://github.com/OISF/suricata/pull/8321

Actions
Copy link
 #10

Updated by Victor Julien almost 2 years ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions
Copy link
 #11

Updated by Philippe Antoine over 1 year ago

  • Has duplicate Bug #2500: stored will always equal false in fileinfo events added
Actions
Copy link
 #12

Updated by Philippe Antoine over 1 year ago

  • Target version changed from 8.0.0-beta1 to 7.0.0
Actions
Copy link
 #13

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0 to 7.0.1
Actions
Copy link
 #14

Updated by Philippe Antoine about 1 year ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF