[Oisf-devel] Suricata file-store not logging md5

Peter Manev petermanev at gmail.com
Mon Apr 30 16:03:17 UTC 2012 

Hi,

do you have the MD5s in your JSON log file?

and is it just this file that does not have MD5 or all files?

thanks

On Mon, Apr 30, 2012 at 4:38 PM, Mike Cox <mike.cox52 at gmail.com> wrote:

> I have grabbed the latest version of Suricata from GIT and enabled
> file-store.  However, in the meta file, I do not see the md5 sum being
> logged.  Of course, if the file is logged too, calculating the md5 on
> the sensor machine (outside of Suricata) is trivial but I though it
> would log the md5 if it was enabled.  From my config .yaml file:
>
>  - file-store:
>     enabled: yes       # set to yes to enable
>     log-dir: files    # directory to store the files
>     force-magic: yes   # force logging magic on all stored files
>     force-md5: yes     # force logging of md5 checksums
>     #waldo: file.waldo # waldo file to store the file-id across runs
>
> I have the stream reassembly and HTTP request/response body sizes set
> high enough that I am getting all of the file but I don't see the MD5
> sum logged.  From the meta file:
>
> TIME:              04/28/2012-03:31:01.457465
> SRC IP:            97.67.101.89
> DST IP:            192.168.5.21
> PROTO:             6
> SRC PORT:          80
> DST PORT:          24593
> HTTP URI:
>
> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
> HTTP HOST:         download.windowsupdate.com
> HTTP REFERER:      <unknown>
> FILENAME:
>
> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
> MAGIC:             PE32+ executable for MS Windows (GUI)
> STATE:             CLOSED
> SIZE:              5382
>
> Also, does the filename normally include all the URL?
>
> This is Suricata 1.3dev (rev e6dea5c).
>
> Thanks.
>
>  -Mike Cox
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120430/d23eafcd/attachment-0002.html>

More information about the Oisf-devel mailing list