[Oisf-users] signature keywords fileext and filemagic

Miso Mijatovic mmijatovic at sorint.it
Fri Jun 12 16:05:01 UTC 2015

Hi to all, 

i wrote this sig: 

alert http any any -> any any (msg:"MASKED FILE exe"; fileext:!"exe"; filemagic:"executable"; classtype:suspicious-filename-detect; sid:1200400; rev:1;) 

but it doesn't work, more precisely it matches even on files with .exe extensions. I suspect the cause is that the file passes through some kind of stream and Suricata doesn't recognize it as a .exe until it has completely passed. Any help is appreciated, Thanks. 

Miso Mijatovic 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150612/e1c72ee2/attachment.html>

More information about the Oisf-users mailing list