Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue 7357 v2 #2202

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Issue 7357 v2 #2202

wants to merge 3 commits into from

Conversation

regit
Copy link
Contributor

@regit regit commented Dec 20, 2024

Update of #2111:

  • remove test "fix" to keep existing logic

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7357

regit added 3 commits December 19, 2024 22:16
@regit
tests: add more filestore tests
3c71400 
Add tests exhibiting issue on filestore

Tickets: #7346 #7347
@regit
tests: filestore with fileinfo counter
8ab24c4 
Make sure the result are correct with regards to filestore keyword
impact.
@regit
tests: filestore and file.data combination
b394950
@regit regit mentioned this pull request Dec 20, 2024
Open
5 tasks
catenacyber
catenacyber reviewed Jan 21, 2025
View reviewed changes
tests/filestore-v2.10-wrong-direction/test.rules
@@ -0,0 +1,2 @@
alert http any any -> any any (msg:"alert png images"; http.uri; content:".png"; nocase; sid:1; rev:1;)
alert http any any -> any any (msg:"store png images"; http.uri; content:".png"; nocase; filestore; sid:2; rev:1;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think this should match, the others look ok

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see discussion at OISF/suricata#12312 (comment)

catenacyber
catenacyber reviewed Jan 21, 2025
View reviewed changes
tests/filestore-v2.13-filedata/test.rules
@@ -0,0 +1 @@
alert http any any -> any any (http.uri; content: "toto"; filestore; file.data; content: "tata"; sid:1;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this, but I think my remark was about false positive (instead of false negative)

So, we want to check that alert http any any -> any any (http.uri; content: "toto"; filestore; file.data; content: "titi"; sid:2;) does not match

@catenacyber catenacyber added requires suricata pr Depends on a PR in Suricata decision-required Waiting on deliberation from the team labels Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees
No one assigned
Labels
decision-required Waiting on deliberation from the team requires suricata pr Depends on a PR in Suricata
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@regit @catenacyber