[Oisf-devel] md5's and json records
Victor Julien
victor at inliniac.net
Thu Feb 16 21:23:00 UTC 2012
So I was having fun with md5's when someone *cough*Martin*cough* started
telling me to do json. Being the independent spirit that I am, I started
working on it right way.
So what we have is both md5 sums (logging only right now) and a new log
file called "files-json.log". The log file contains per line a json
record with all the information we already had in the .meta files +
http_uri + http_host. And of course md5, if enabled.
Md5's are enabled by adding the force-md5 option to the log-file output.
To use this, compile Suricata against Mozilla's libnss (and libnspr):
./configure --with-libnss-includes=/usr/include/nss/
--with-libnspr-includes=/usr/include/nspr/
On Ubuntu, you'll need libnss3-dev and libnspr4-dev.
If compiled properly, suricata --build-info should have "HAVE_NSS".
Example of the yaml part:
- file:
enabled: yes
log-dir: files
force-magic: true
force-md5: true
#waldo: my-first-waldo
When running, a new log file called "files-json.log" in your default log
dir should be present. It will have records like this:
{ "id": 3, "timestamp": "10/02/2009-21:34:21.470806", "pcap_pkt_num":
3051, "srcip": "61.191.61.40", "dstip": "192.168.2.7", "protocol": 6,
"sp": 80, "dp": 1091, "http_uri": "/ww/aa1.exe", "http_host":
"vcrvcr.3322.org", "filename": "/ww/aa1.exe", "magic": "PE32 executable
for MS Windows (GUI) Intel 80386 32-bit", "state": "CLOSED", "md5":
"c48f83c92573460e08e258fbd3a189e0", "size": 29200 }
Of course, you need to set up file extraction properly.
The logging output uses the std API, which means unix sockets should
work too, although thats untested.
It's likely rough around it's edges, so use with care.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list