-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: update file keywords v1 #9245
Conversation
Signed-off-by: jason taylor <jtfas90@gmail.com>
Signed-off-by: jason taylor <jtfas90@gmail.com>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9245 +/- ##
==========================================
- Coverage 82.40% 82.39% -0.01%
==========================================
Files 968 968
Lines 273952 273952
==========================================
- Hits 225760 225733 -27
- Misses 48192 48219 +27
Flags with carried forward coverage won't be shown. Click here to find out more. |
Related to: https://redmine.openinfosecfoundation.org/issues/6194 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but as this may be the solution requested by @catenacyber in https://redmine.openinfosecfoundation.org/issues/437, let's wait for his feedback, too :)
|
||
``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. | ||
|
||
**Note** The ``filename`` keyword is still supported but the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is no longer true:
filename:"secret";
is now equivalent to file.name; content:"secret"; nocase;
Similarly, fileext:
fileext:pdf;
is equivalent to file.name; content:".pdf"; nocase; endswith;
. Note the dot that is prepended to pdf
.
This is handled at parsing, so at runtime this is identical in behavior and performance.
btw we're looking at backporting this optimization to 6: https://redmine.openinfosecfoundation.org/issues/6203
|
||
Matches on the information libmagic returns about a file. | ||
|
||
Syntax:: | ||
|
||
filemagic:<string>; | ||
file.magic:<string>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This incorrect. filemagic
is the legacy notation, that uses:
filemagic:"Windows"
;
file.magic
is the new implementation:
file.magic; content:"Windows"; nocase;
Note that like with filename
above, the difference exists only during parsing in 7.
|
||
``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. | ||
|
||
**Note** The ``filemagic`` keyword is still supported but the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perf should now be identical
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see inline comments
continued in #9316 |
Make sure these boxes are signed before submitting your Pull Request -- thank you.
Link to redmine ticket:
Describe changes:
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/N
whereN
is thepull request number.
Alternatively,
SV_BRANCH
may also be a link to anOISF/suricata-verify pull-request.