Bug #4016
Updated by Victor Julien over 1 year ago
Hi! I have configured suricata with the following filestore options: <pre><code class="yaml"> - file-store: version: 2 enabled: yes dir: filestore write-fileinfo: yes force-hash: [sha1, md5] </code></pre> And I have added the following rule to store ZIP files when the file size is smaller than 3 MB: <pre> alert http any any -> any any (msg:"ZIP < 3MB filestore"; fileext:"zip"; filesize:<3MB; filestore; sid:5; rev:1;) </pre> When i test it with a pcap, the rule generate an alert and file info and file are stored: <pre> # ls -ltrh filestore/7a/7a523db62d17643f7ea0839928fc7891a821471b799acd98f5361cb96476f36b* -rw-r--r--. 1 root root 947 oct 6 18:20 filestore/7a/7a523db62d17643f7ea0839928fc7891a821471b799acd98f5361cb96476f36b.1598688683.1.json -rw-r--r--. 1 root root 0 oct 6 18:20 filestore/7a/7a523db62d17643f7ea0839928fc7891a821471b799acd98f5361cb96476f36b </pre> But.. the file is empty, as you can see in the previous size.. If i delete filesize keyword from the rule, and test it again, the file is stored correctly: <pre> # ls -ltrh filestore/7a/7a523db62d17643f7ea0839928fc7891a821471b799acd98f5361cb96476f36b* -rw-r--r--. 1 root root 946 oct 6 18:23 filestore/7a/7a523db62d17643f7ea0839928fc7891a821471b799acd98f5361cb96476f36b.1598688683.1.json -rw-r--r--. 1 root root 100K oct 6 18:23 filestore/7a/7a523db62d17643f7ea0839928fc7891a821471b799acd98f5361cb96476f36b </pre> How can i correct this issue? There is some feature i have to enable with filesize keyword? Is it a bug? thanks a lote for your help!