[Oisf-devel] Suricata file-store not logging md5

Marcos Rodriguez marcos.e.rodriguez at gmail.com
Mon Apr 30 16:04:39 UTC 2012 

On Mon, Apr 30, 2012 at 10:38 AM, Mike Cox <mike.cox52 at gmail.com> wrote:

> I have grabbed the latest version of Suricata from GIT and enabled
> file-store.  However, in the meta file, I do not see the md5 sum being
> logged.  Of course, if the file is logged too, calculating the md5 on
> the sensor machine (outside of Suricata) is trivial but I though it
> would log the md5 if it was enabled.  From my config .yaml file:
>
>  - file-store:
>     enabled: yes       # set to yes to enable
>     log-dir: files    # directory to store the files
>     force-magic: yes   # force logging magic on all stored files
>     force-md5: yes     # force logging of md5 checksums
>     #waldo: file.waldo # waldo file to store the file-id across runs
>
> I have the stream reassembly and HTTP request/response body sizes set
> high enough that I am getting all of the file but I don't see the MD5
> sum logged.  From the meta file:
>
> TIME:              04/28/2012-03:31:01.457465
> SRC IP:            97.67.101.89
> DST IP:            192.168.5.21
> PROTO:             6
> SRC PORT:          80
> DST PORT:          24593
> HTTP URI:
>
> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
> HTTP HOST:         download.windowsupdate.com
> HTTP REFERER:      <unknown>
> FILENAME:
>
> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
> MAGIC:             PE32+ executable for MS Windows (GUI)
> STATE:             CLOSED
> SIZE:              5382
>
> Also, does the filename normally include all the URL?
>
> This is Suricata 1.3dev (rev e6dea5c).
>
> Thanks.
>
>  -Mike Cox
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>

Hi Mike, et al,

Do you have libnss installed?  I believe you need that in order to take
advantage of the md5 calcs.

marcos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120430/468ece76/attachment-0002.html>

More information about the Oisf-devel mailing list