From 1c500f37e84097c90c949cf34f212e030754ef81 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Mon, 17 Jul 2023 16:36:58 +0000 Subject: [PATCH 1/2] doc: update file.name keyword information Signed-off-by: jason taylor --- doc/userguide/rules/file-keywords.rst | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst index 199bf5f6411c..8634050b1728 100644 --- a/doc/userguide/rules/file-keywords.rst +++ b/doc/userguide/rules/file-keywords.rst @@ -5,21 +5,25 @@ Suricata comes with several rule keywords to match on various file properties. They depend on properly configured :doc:`../file-extraction/file-extraction`. -filename +file.name -------- Matches on the file name. Syntax:: - filename:; + file.name:; Example:: - filename:"secret"; + file.name:"secret"; ``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. +**Note** The ``filename`` keyword is still supported but the ``file.name`` +convention is preferred due to better performance in signature +evaluation. + fileext ------- From 537d7ddf32add06a330eb06b2ead4e462fa47792 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Mon, 17 Jul 2023 17:01:36 +0000 Subject: [PATCH 2/2] doc: update file.magic keyword information Signed-off-by: jason taylor --- doc/userguide/rules/file-keywords.rst | 29 ++++++++++++++++++--------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst index 8634050b1728..a042304a0d00 100644 --- a/doc/userguide/rules/file-keywords.rst +++ b/doc/userguide/rules/file-keywords.rst @@ -6,7 +6,7 @@ properties. They depend on properly configured :doc:`../file-extraction/file-extraction`. file.name --------- +--------- Matches on the file name. @@ -20,9 +20,9 @@ Example:: ``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. -**Note** The ``filename`` keyword is still supported but the ``file.name`` -convention is preferred due to better performance in signature -evaluation. +**Note** The ``filename`` keyword is still supported but the +``file.name`` convention is preferred due to better performance +in signature evaluation. fileext ------- @@ -37,24 +37,33 @@ Example:: fileext:"jpg"; -filemagic ---------- +file.magic +---------- Matches on the information libmagic returns about a file. Syntax:: - filemagic:; + file.magic:; Example:: - filemagic:"executable for MS Windows"; + file.magic:"executable for MS Windows"; -Note: as libmagic versions differ between installations, the returned -information may also slightly change. See also #437. +**Note**: Suricata currently uses its underlying operating systems +version/implementation of libmagic. Different versions and +implementations of libmagic do not return the same information. +Additionally there are varying Suricata performance impacts +based on the version and implementation of libmagic. +Additional information about Suricata and libmagic can be found +here: https://redmine.openinfosecfoundation.org/issues/437 ``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. +**Note** The ``filemagic`` keyword is still supported but the +``file.magic`` convention is preferred due to better performance +in signature evaluation. + filestore ---------