Filesize keyword suricata

Prateek-Sharma · June 13, 2024, 11:29am

Hello,

I’ve been working with the Suricata filesize keyword and successfully created a signature to block files larger than 10MB. Currently, the signature is functioning by blocking files after they’ve been partially downloaded, which is not the expected behavior.

Expected Behavior:
I expect the signature to block files larger than 10MB immediately upon their download initiation.

Current Behavior:
During a recent test, I began downloading a 100MB file, and it was allowed to download up to 90MB then blocked the downloading. and triggered a drop log entry in fast.log.

Could you please assist me in correcting this behavior. My goal is to ensure files larger than 10MB are blocked right from the start of their download.

Thank you for your support.

Best regards,
Prateek Sharma

Andreas_Herz · July 31, 2024, 8:59pm

How should Suricata know the filesize prior to the actual transfer?
This could only work, in theory, if there is a file info within the actual file request to determine it.

Topic		Replies	Views
Need help with HTTP Signatures Help community , rules	4	326	November 18, 2023
Detect ping with size more than 65000 bytes Help rules	6	934	October 5, 2022
How to block file transfer with any magic bytes? Help ips	7	1407	March 6, 2021
Rule data size question Rules rules , suricata	2	575	March 16, 2023
File-store creates empty files Help file-extraction	4	1354	July 1, 2020

Filesize keyword suricata

Related topics