Bug #7356
openUnexpected effect of filestore keyword
Description
If we take the two following signatures on a pcap file where exe file are downloaded over http, then the first one (sid 1) is matching but the second is not:
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; sid:1; rev:1;)
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; filestore; sid:2; rev:1;)
We have no file in the direction of http.uri but from documentation filestore should not prevent the match.
Tested on 6, 7 and master.
Updated by Eric Leblond about 2 months ago
- Related to Bug #7357: filestore keyword option seems not to work added
Updated by Jason Ish about 2 months ago
- Affected Versions 7.0.7 added
- Affected Versions deleted (
7.0.9)
Updated by Eric Leblond about 2 months ago
In https://github.com/OISF/suricata-verify/pull/2111 filestore-v2.10-wrong-direction is testing this problem.
Updated by Philippe Antoine 9 days ago
We have no file in the direction of http.uri but from documentation filestore should not prevent the match.
I do not fund such documentation looking at https://docs.suricata.io/en/latest/rules/file-keywords.html#filestore