Suggestion about file skipping due to file size

Question

Suggestion about file skipping due to file size

security-companion opened this issue 2 years ago · 4 comments

security-companion commented 2 years ago

Hi,
I really like loki but recently I made an own rule and had a hard time figuring out why a certain file that I was scanning didn't trigger an alert that I had defined in my own rule. After some time I noticed that the reason for it was it's file size. Loki skips files that are bigger in size than the default value.

So my suggestion is:

show at the end of a scan log a notice that files were skipped because of file size, otherwise a user can be false-leaded. He thinks his system is clean but actually a "bad" file was skipped and an alert not detected as the file was too big
when using --printall then print in log if a file is skipped because of file size

What do you think? Would you accept these suggestions as a pull request?

Greetings
security-companion

Answer 1 · 2023-07-01T10:17:52.000Z

A WARNING level message for every file that gets skipped?
That would lead to hundreds of Warning messages per scan.

Answer 2 · 2023-07-01T17:28:46.000Z

Okay, if you want I can also convert it to an INFO. Then it would be the same level as "Skipping file due to fast scan mode"

Answer 3 · 2023-07-01T17:36:20.000Z

I've adapted the pull request

Answer 4 · 2023-07-01T20:35:53.000Z

@Neo23x0 What about adding (only if files were skipped) one warning or notice at the end with something like "There have been files skipped due to file size or unkown file type. Please rerun with --printall to see which"