Filesize keyword suricata


I’ve been working with the Suricata filesize keyword and successfully created a signature to block files larger than 10MB. Currently, the signature is functioning by blocking files after they’ve been partially downloaded, which is not the expected behavior.

Expected Behavior:
I expect the signature to block files larger than 10MB immediately upon their download initiation.

Current Behavior:
During a recent test, I began downloading a 100MB file, and it was allowed to download up to 90MB then blocked the downloading. and triggered a drop log entry in fast.log.

Could you please assist me in correcting this behavior. My goal is to ensure files larger than 10MB are blocked right from the start of their download.

Thank you for your support.

Best regards,
Prateek Sharma