suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

smb: New keyword smb.filename v4

Open zer1t0 opened this issue 2 years ago • 1 comments

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5082

Describe changes:

  • Add new sticky buffer smb.filename to match the filenames that are being accessed by SMB through the create file request
  • Add documentation for the keyword

Rule example: alert smb any any -> any any (msg: "SMB file a.txt";smb.filename; content:"a.txt";sid:1;)

suricata-verify-pr: 802

zer1t0 avatar Apr 28 '22 11:04 zer1t0

Codecov Report

Merging #7337 (c70c43b) into master (2ebb525) will decrease coverage by 1.90%. The diff coverage is 88.88%.

@@            Coverage Diff             @@
##           master    #7337      +/-   ##
==========================================
- Coverage   77.68%   75.78%   -1.91%     
==========================================
  Files         628      657      +29     
  Lines      185657   190093    +4436     
==========================================
- Hits       144232   144064     -168     
- Misses      41425    46029    +4604
Flag Coverage Δ
fuzzcorpus 60.26% <36.00%> (+2.21%) :arrow_up:
suricata-verify 51.62% <88.88%> (-2.84%) :arrow_down:
unittests 61.01% <36.00%> (-2.03%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Apr 28 '22 11:04 codecov[bot]

Added the needs rebase label due to the conflicts, sorry if I'm wrong...

jufajardini avatar Nov 28 '22 17:11 jufajardini

Closing due to inactivity. If you're interested in picking this back up, please open a new PR addressing the comments. Thanks!

victorjulien avatar May 05 '23 08:05 victorjulien