[Oisf-users] signature keywords fileext and filemagic

Peter Manev petermanev at gmail.com
Fri Jun 12 19:14:25 UTC 2015


On Fri, Jun 12, 2015 at 6:05 PM, Miso Mijatovic <mmijatovic at sorint.it> wrote:
> Hi to all,
>
> i wrote this sig:
>
> alert http any any -> any any (msg:"MASKED FILE exe"; fileext:!"exe";
> filemagic:"executable"; classtype:suspicious-filename-detect; sid:1200400;
> rev:1;)

Does fileext:!"exe"; - just by itself in a rule - work as expected in
this set up?
Which Suri version are you using?

>
> but it doesn't work, more precisely it matches even on files with .exe
> extensions. I suspect the cause is that the file passes through some kind of
> stream and Suricata doesn't recognize it as a .exe until it has completely
> passed. Any help is appreciated, Thanks.
>
> Miso Mijatovic
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list