Actions
Bug #7356
openUnexpected effect of filestore keyword
Affected Versions:
Effort:
Difficulty:
Label:
Description
If we take the two following signatures on a pcap file where exe file are downloaded over http, then the first one (sid 1) is matching but the second is not:
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; sid:1; rev:1;)
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; filestore; sid:2; rev:1;)
We have no file in the direction of http.uri but from documentation filestore should not prevent the match.
Tested on 6, 7 and master.
Updated by Eric Leblond 3 days ago
- Related to Bug #7357: filestore keyword option seems not to work added
Updated by Eric Leblond 2 days ago
In https://github.com/OISF/suricata-verify/pull/2111 filestore-v2.10-wrong-direction is testing this problem.
Actions