Project

General

Profile

Bug #2614

Updated by Victor Julien almost 4 years ago

(using the foo.cap attached and previously provided in this mail thread here - https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-August/016080.html ) 

 1) 
 Using 4.1.0-dev (rev 1f4cd75f) with filestorev2 and having 
 fileextraction unconditionally enabled     ( 
 https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L443 
 un-commented ) 

 I get the 2 PDFs - 
 <pre> 
 locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1: 
 PDF document, version 1.6 
 locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa: 
 PDF document, version 1.4 

 root@DonPedro:/home/pevma/Work/Suricata/QA/tmp2# ls -lh 
 locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1 
 -rw-r--r-- 1 root root 294K Aug 24 16:54 
 locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1 
 root@DonPedro:/home/pevma/Work/Suricata/QA/tmp2# ls -lh 
 locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa 
 -rw-r--r-- 1 root root 94K Aug 24 16:54 
 locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa 
 </pre> 
 

 2) 

 Disabled fileextraction unconditionally    ( 
 https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L443 
 commented back ) 

 and using only this rule - 
 <pre> 
 alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF 
 document"; filestore; sid:777; rev:1;) 
 i get no PDF files extracted. (although i should) 

 Using only this rule however - 
 alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF"; 
 filestore; sid:666; rev:1;) 
 I get the two PDFs extracted. 
 </pre> 

 so it seems the only difference is filemagic:"PDF document" and 
 filemagic:"PDF". (it didnt use to be like that before    - you could 
 just specify filemagic:"PDF document" and that was working as 
 expected) 

Back