[Oisf-users] signature keywords fileext and filemagic
Miso Mijatovic
mmijatovic at sorint.it
Fri Jun 12 16:05:01 UTC 2015
Hi to all,
i wrote this sig:
alert http any any -> any any (msg:"MASKED FILE exe"; fileext:!"exe"; filemagic:"executable"; classtype:suspicious-filename-detect; sid:1200400; rev:1;)
but it doesn't work, more precisely it matches even on files with .exe extensions. I suspect the cause is that the file passes through some kind of stream and Suricata doesn't recognize it as a .exe until it has completely passed. Any help is appreciated, Thanks.
Miso Mijatovic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150612/e1c72ee2/attachment.html>
More information about the Oisf-users
mailing list