Project

General

Profile

Actions
Copy link

Bug #7356

open

Unexpected effect of filestore keyword

Added by Eric Leblond 2 days ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.7, git master
Effort:
Difficulty:
Label:

Description

If we take the two following signatures on a pcap file where exe file are downloaded over http, then the first one (sid 1) is matching but the second is not:

alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; sid:1; rev:1;)
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; filestore; sid:2; rev:1;)

We have no file in the direction of http.uri but from documentation filestore should not prevent the match.

Tested on 6, 7 and master.

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #7357: filestore keyword option seems not to workIn ProgressEric LeblondActions
Actions
Copy link
 #1

Updated by Eric Leblond 2 days ago

  • Related to Bug #7357: filestore keyword option seems not to work added
Actions
Copy link
 #2

Updated by Jason Ish 2 days ago

  • Affected Versions 7.0.7 added
  • Affected Versions deleted (7.0.9)
Actions
Copy link
 #3

Updated by Eric Leblond 2 days ago

In https://github.com/OISF/suricata-verify/pull/2111 filestore-v2.10-wrong-direction is testing this problem.

Actions
Copy link

Also available in: Atom PDF