[Oisf-devel] Suricata file-store not logging md5
Mike Cox
mike.cox52 at gmail.com
Mon Apr 30 16:44:19 UTC 2012
Peter,
I do not have JSON logging enabled, just file-store with force-magic
and force-md5. As you can see, MAGIC is included and it is all files
that do not have the MD5 sum included.
To answer Marcos' question about libnss, I believe it is installed:
[root at SURI2]# locate libnss
/lib/libnss_compat-2.5.so
/lib/libnss_compat.so.2
/lib/libnss_db-2.2.so
/lib/libnss_db.so.2
/lib/libnss_dns-2.5.so
/lib/libnss_dns.so.2
/lib/libnss_files-2.5.so
/lib/libnss_files.so.2
/lib/libnss_hesiod-2.5.so
/lib/libnss_hesiod.so.2
/lib/libnss_ldap-2.5.so
/lib/libnss_ldap.so.2
/lib/libnss_nis-2.5.so
/lib/libnss_nis.so.2
/lib/libnss_nisplus-2.5.so
/lib/libnss_nisplus.so.2
/lib/libnss_winbind.so.2
/lib/libnss_wins.so.2
/usr/lib/libnss3.so
/usr/lib/libnss_compat.so
/usr/lib/libnss_db.so
/usr/lib/libnss_dns.so
/usr/lib/libnss_files.so
/usr/lib/libnss_hesiod.so
/usr/lib/libnss_ldap.so
/usr/lib/libnss_nis.so
/usr/lib/libnss_nisplus.so
/usr/lib/libnss_winbind.so
/usr/lib/libnss_wins.so
/usr/lib/libnssckbi.so
/usr/lib/libnssutil3.so
[root at SURI2 files]# which md5sum
/usr/bin/md5sum
Suricata was configured/installed with:
./configure --enable-gccprotect --enable-profiling --enable-pfring
--with-libpfring-libraries=/usr/local/lib
--with-libpfring-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib
--with-libpcap-includes=/usr/local/include
--with-libhtp-includes=/usr/local/include
--with-libhtp-libraries=/usr/local/lib --prefix=/usr/local/
--sysconfdir=/etc/ --localstatedir=/var/
Thanks.
-Mike Cox
On Mon, Apr 30, 2012 at 11:03 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
>
> do you have the MD5s in your JSON log file?
>
> and is it just this file that does not have MD5 or all files?
>
> thanks
>
> On Mon, Apr 30, 2012 at 4:38 PM, Mike Cox <mike.cox52 at gmail.com> wrote:
>>
>> I have grabbed the latest version of Suricata from GIT and enabled
>> file-store. However, in the meta file, I do not see the md5 sum being
>> logged. Of course, if the file is logged too, calculating the md5 on
>> the sensor machine (outside of Suricata) is trivial but I though it
>> would log the md5 if it was enabled. From my config .yaml file:
>>
>> - file-store:
>> enabled: yes # set to yes to enable
>> log-dir: files # directory to store the files
>> force-magic: yes # force logging magic on all stored files
>> force-md5: yes # force logging of md5 checksums
>> #waldo: file.waldo # waldo file to store the file-id across runs
>>
>> I have the stream reassembly and HTTP request/response body sizes set
>> high enough that I am getting all of the file but I don't see the MD5
>> sum logged. From the meta file:
>>
>> TIME: 04/28/2012-03:31:01.457465
>> SRC IP: 97.67.101.89
>> DST IP: 192.168.5.21
>> PROTO: 6
>> SRC PORT: 80
>> DST PORT: 24593
>> HTTP URI:
>>
>> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
>> HTTP HOST: download.windowsupdate.com
>> HTTP REFERER: <unknown>
>> FILENAME:
>>
>> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
>> MAGIC: PE32+ executable for MS Windows (GUI)
>> STATE: CLOSED
>> SIZE: 5382
>>
>> Also, does the filename normally include all the URL?
>>
>> This is Suricata 1.3dev (rev e6dea5c).
>>
>> Thanks.
>>
>> -Mike Cox
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
>
> --
> Regards,
> Peter Manev
>
More information about the Oisf-devel
mailing list