Project

General

Profile

Actions
Copy link

Bug #7357

open

filestore keyword option seems not to work

Added by Eric Leblond 2 days ago. Updated 2 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Eric Leblond
Target version:
TBD
Affected Versions:
git master
Effort:
Difficulty:
Label:

Description

with the same condition described in https://redmine.openinfosecfoundation.org/issues/7356, it seems we have problem with the filestore keyword options:

alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; sid:1; rev:1;)
alert http any any -> any any (msg:"exe"; http.uri; content:"exe"; filestore:both,flow; sid:2; rev:1;)

Signature 1 is alerting and signature 2 is not although we have the option to store all files on the flow. Also extraction is not done.

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #7356: Unexpected effect of filestore keywordNewOISF DevActions
Actions
Copy link
 #1

Updated by Eric Leblond 2 days ago

  • Related to Bug #7356: Unexpected effect of filestore keyword added
Actions
Copy link
 #2

Updated by Eric Leblond 2 days ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Eric Leblond
Actions
Copy link
 #3

Updated by Eric Leblond 2 days ago

In https://github.com/OISF/suricata-verify/pull/2111 filestore-v2.11-with-option is testing the problem.

Actions
Copy link

Also available in: Atom PDF