Bug #2614
Updated by Victor Julien about 4 years ago
(using the foo.cap attached and previously provided in this mail thread here - https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-August/016080.html ) 1) Using 4.1.0-dev (rev 1f4cd75f) with filestorev2 and having fileextraction unconditionally enabled ( https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L443 un-commented ) I get the 2 PDFs - <pre> locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1: PDF document, version 1.6 locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa: PDF document, version 1.4 root@DonPedro:/home/pevma/Work/Suricata/QA/tmp2# ls -lh locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1 -rw-r--r-- 1 root root 294K Aug 24 16:54 locallog/filestore/41/41bb5056d7760a903bb2b5462fe7480aeb3d34cf15d0299195795b6194bcbaf1 root@DonPedro:/home/pevma/Work/Suricata/QA/tmp2# ls -lh locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa -rw-r--r-- 1 root root 94K Aug 24 16:54 locallog/filestore/c6/c6f1db059595d3ff29e58129adf47f94c0d55d0aa3efa26cecb24d21c8c20ffa </pre> 2) Disabled fileextraction unconditionally ( https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L443 commented back ) and using only this rule - <pre> alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF document"; filestore; sid:777; rev:1;) i get no PDF files extracted. (although i should) Using only this rule however - alert http any any -> any any (msg:"FILE magic"; filemagic:"PDF"; filestore; sid:666; rev:1;) I get the two PDFs extracted. </pre> so it seems the only difference is filemagic:"PDF document" and filemagic:"PDF". (it didnt use to be like that before - you could just specify filemagic:"PDF document" and that was working as expected)