-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: update file keywords v1 #9245
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,21 +5,25 @@ Suricata comes with several rule keywords to match on various file | |
properties. They depend on properly configured | ||
:doc:`../file-extraction/file-extraction`. | ||
|
||
filename | ||
-------- | ||
file.name | ||
--------- | ||
|
||
Matches on the file name. | ||
|
||
Syntax:: | ||
|
||
filename:<string>; | ||
file.name:<string>; | ||
|
||
Example:: | ||
|
||
filename:"secret"; | ||
file.name:"secret"; | ||
|
||
``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. | ||
|
||
**Note** The ``filename`` keyword is still supported but the | ||
``file.name`` convention is preferred due to better performance | ||
in signature evaluation. | ||
|
||
fileext | ||
------- | ||
|
||
|
@@ -33,24 +37,33 @@ Example:: | |
|
||
fileext:"jpg"; | ||
|
||
filemagic | ||
--------- | ||
file.magic | ||
---------- | ||
|
||
Matches on the information libmagic returns about a file. | ||
|
||
Syntax:: | ||
|
||
filemagic:<string>; | ||
file.magic:<string>; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This incorrect. Note that like with |
||
|
||
Example:: | ||
|
||
filemagic:"executable for MS Windows"; | ||
file.magic:"executable for MS Windows"; | ||
|
||
Note: as libmagic versions differ between installations, the returned | ||
information may also slightly change. See also #437. | ||
**Note**: Suricata currently uses its underlying operating systems | ||
version/implementation of libmagic. Different versions and | ||
implementations of libmagic do not return the same information. | ||
Additionally there are varying Suricata performance impacts | ||
based on the version and implementation of libmagic. | ||
Additional information about Suricata and libmagic can be found | ||
here: https://redmine.openinfosecfoundation.org/issues/437 | ||
|
||
``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. | ||
|
||
**Note** The ``filemagic`` keyword is still supported but the | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. perf should now be identical |
||
``file.magic`` convention is preferred due to better performance | ||
in signature evaluation. | ||
|
||
filestore | ||
--------- | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is no longer true:
filename:"secret";
is now equivalent tofile.name; content:"secret"; nocase;
Similarly, fileext:
fileext:pdf;
is equivalent tofile.name; content:".pdf"; nocase; endswith;
. Note the dot that is prepended topdf
.This is handled at parsing, so at runtime this is identical in behavior and performance.
btw we're looking at backporting this optimization to 6: https://redmine.openinfosecfoundation.org/issues/6203