Hi,<br><br>do you have the MD5s in your JSON log file?<br><br>and is it just this file that does not have MD5 or all files?<br><br>thanks<br><br><div class="gmail_quote">On Mon, Apr 30, 2012 at 4:38 PM, Mike Cox <span dir="ltr"><<a href="mailto:mike.cox52@gmail.com" target="_blank">mike.cox52@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have grabbed the latest version of Suricata from GIT and enabled<br>
file-store. However, in the meta file, I do not see the md5 sum being<br>
logged. Of course, if the file is logged too, calculating the md5 on<br>
the sensor machine (outside of Suricata) is trivial but I though it<br>
would log the md5 if it was enabled. From my config .yaml file:<br>
<br>
- file-store:<br>
enabled: yes # set to yes to enable<br>
log-dir: files # directory to store the files<br>
force-magic: yes # force logging magic on all stored files<br>
force-md5: yes # force logging of md5 checksums<br>
#waldo: file.waldo # waldo file to store the file-id across runs<br>
<br>
I have the stream reassembly and HTTP request/response body sizes set<br>
high enough that I am getting all of the file but I don't see the MD5<br>
sum logged. From the meta file:<br>
<br>
TIME: 04/28/2012-03:31:01.457465<br>
SRC IP: 97.67.101.89<br>
DST IP: 192.168.5.21<br>
PROTO: 6<br>
SRC PORT: 80<br>
DST PORT: 24593<br>
HTTP URI:<br>
/msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe<br>
HTTP HOST: <a href="http://download.windowsupdate.com" target="_blank">download.windowsupdate.com</a><br>
HTTP REFERER: <unknown><br>
FILENAME:<br>
/msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe<br>
MAGIC: PE32+ executable for MS Windows (GUI)<br>
STATE: CLOSED<br>
SIZE: 5382<br>
<br>
Also, does the filename normally include all the URL?<br>
<br>
This is Suricata 1.3dev (rev e6dea5c).<br>
<br>
Thanks.<br>
<span class="HOEnZb"><font color="#888888"><br>
-Mike Cox<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>