in our rules we have rule:
pass http any any → any any (msg:“IMAGE”; http_content_type; content:“image”; filestore; sid:1;)
now question is … how i can modify this kind of rules to store only images that are “as normal” images. For examples → this kind of rules also store favicon. It is possible to define minimal resolution do store in filestore this images?
You could use multiple rules, not just one for
image but various specific ones, for each in the Media Types – excluding those you don’t want, i.e.
image/x-icon for favicons. Since the rule as it is just looks at the HTTP header, not at the body, you won’t be able to select on file format-specific properties like resolution or image size.
You might be able to use the HTTP content length header (Suricata buffer
http.content_len) though to filter transfers that are “too small”. See 6.12. HTTP Keywords — Suricata 6.0.4 documentation