<div> </div><div> </div><div><div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Hello,</div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> </div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">I'm trying to activate md5 control suricata by following the steps on the link</div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5" style="color:rgb( 153 , 0 , 153 )">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5</a></div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> </div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"> </div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">I have installed package</div><div style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div><strong>pkg install nss</strong></div><div><strong>pkg install nspr</strong></div><div> </div><div> </div><div><strong>Freebsd</strong> : FreeBSD 11.0-RELEASE-p1</div><div> </div><div><strong>Make build Configuration with NSPR and NSS</strong></div><div><span style="background-color:#ffff00">./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --localstatedir=/var --enable-ipfw --enable-netmap --with-netmap-includes=/usr/local/include/netmap/ --with-libnss-libraries=/usr/local/lib --with-libnss-includes=/usr/local/include/nss --with-libnspr-libraries=/usr/local/lib --with-libnspr-includes=/usr/local/include/nspr</span></div><div> </div><div> </div><div> </div><div>I was install and See suricate build info<br /><strong>HAVE_NSS</strong></div><div><div><strong>libnss support:                          yes</strong></div><div><strong>libnspr support:                         yes</strong></div><div> </div><div> </div></div><div><strong># suricata --build-info</strong></div><div> </div><div><div><div>This is Suricata version 4.0.3 RELEASE</div><div>Features: IPFW PCAP_SET_BUFF NETMAP HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT<strong> HAVE_NSS</strong> HAVE_LIBJANSSON TLS MAGIC </div><div>SIMD support: SSE_3 </div><div>Atomic intrisics: 1 2 4 8 16 byte(s)</div><div>64-bits, Little-endian architecture</div><div>GCC version 4.2.1 Compatible FreeBSD Clang 3.8.0 (tags/RELEASE_380/final 262564), C version 199901</div><div>compiled with _FORTIFY_SOURCE=0</div><div>L1 cache line size (CLS)=64</div><div>thread local storage method: __thread</div><div>compiled with LibHTP v0.5.25, linked against LibHTP v0.5.25</div><div> </div><div>Suricata Configuration:</div><div>  AF_PACKET support:                       no</div><div>  PF_RING support:                         no</div><div>  NFQueue support:                         no</div><div>  NFLOG support:                           no</div><div>  IPFW support:                            yes</div><div>  Netmap support:                          yes</div><div>  DAG enabled:                             no</div><div>  Napatech enabled:                        no</div><div> </div><div>  Unix socket enabled:                     yes</div><div>  Detection enabled:                       yes</div><div> </div><div>  Libmagic support:                        yes</div><div><strong>  libnss support:                          yes</strong></div><div><strong>  libnspr support:                         yes</strong></div><div>  libjansson support:                      yes</div><div>  hiredis support:                         no</div><div>  hiredis async with libevent:             no</div><div>  Prelude support:                         no</div><div>  PCRE jit:                                yes</div><div>  LUA support:                             no</div><div>  libluajit:                               no</div><div>  libgeoip:                                no</div><div>  Non-bundled htp:                         no</div><div>  Old barnyard2 support:                   no</div><div>  CUDA enabled:                            no</div><div>  Hyperscan support:                       yes</div><div>  Libnet support:                          yes</div><div> </div><div>  Rust support (experimental):             no</div><div>  Experimental Rust parsers:               no</div><div>  Rust strict mode:                        no</div><div> </div><div>  Suricatasc install:                      yes</div><div> </div><div>  Profiling enabled:                       no</div><div>  Profiling locks enabled:                 no</div><div> </div><div>Development settings:</div><div>  Coccinelle / spatch:                     no</div><div>  Unit tests enabled:                      no</div><div>  Debug output enabled:                    no</div><div>  Debug validation enabled:                no</div><div> </div><div>Generic build parameters:</div><div>  Installation prefix:                     /usr/local</div><div>  Configuration directory:                 /usr/local/etc/suricata/</div><div>  Log directory:                           /var/log/suricata/</div><div> </div><div>  --prefix                                 /usr/local</div><div>  --sysconfdir                             /usr/local/etc</div><div>  --localstatedir                          /var</div><div> </div><div>  Host:                                    x86_64-unknown-freebsd11.0</div><div>  Compiler:                                cc (exec name) / clang (real)</div><div>  GCC Protect enabled:                     no</div><div>  GCC march native enabled:                yes</div><div>  GCC Profile enabled:                     no</div><div>  Position Independent Executable enabled: no</div><div>  CFLAGS                                   -g -O2 -DOS_FREEBSD -march=native</div><div>  PCAP_CFLAGS                              </div><div>  SECCFLAGS   </div></div></div><div> </div><div> </div><div> </div><div> </div><div> </div><div><strong>My configuration suricata.yaml</strong><br /> </div><div><div>  - file-store:</div><div>      enabled: yes       # set to yes to enable</div><div>      log-dir: files    # directory to store the files</div><div>      force-magic: yes   # force logging magic on all stored files</div><div>      force-hash: [md5]</div><div>      force-filestore: yes # force storing of all files</div><div> </div><div> </div><div>  - file-log:</div><div>      enabled: yes</div><div>      filename: files-json.log</div><div>      append: yes</div><div>      force-magic: yes   # force logging magic on all logged files</div><div>      force-hash: [md5]</div><div> </div><div> </div><div><div>stream:</div><div>  memcap: 64mb</div><div>  checksum-validation: yes      # reject wrong csums</div><div>  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically</div><div>  reassembly:</div><div>    memcap: 256mb</div><div>    depth: 0                  # reassemble 1mb into a stream</div><div>    toserver-chunk-size: 2560</div><div>    toclient-chunk-size: 2560</div><div>    randomize-chunk-size: yes</div><div> </div></div><div> </div><div><div><div>      libhtp:</div><div>         default-config:</div><div>           personality: IDS</div><div>           request-body-limit: 0</div><div>           response-body-limit: 0</div><div> </div><div> </div><div> </div><div> </div><div> </div></div></div><div> </div><div> </div></div><div><strong>My Rule :</strong> alert http any any -> any any (msg:"block"; filemd5:!block.txt; sid:9966699; rev:1;)</div><div> </div><div><strong>block.txt  :</strong> 44d88612fea8a8f36de82e1278abb02f</div><div> </div><div> </div><div> </div><div><div>suricate running but can't create md5 info for downloaded file  AND suricata can't control MD5 check for download file </div><div>Sample <strong>file.3.meta</strong><div>TIME:              01/02/2020-16:45:25.983849</div><div>SRC IP:            213.211.198.58</div><div>DST IP:            192.168.1.10</div><div>PROTO:             6</div><div>SRC PORT:          80</div><div>DST PORT:          62690</div><div>APP PROTO:         http</div><div>HTTP URI:          /download/eicar.com</div><div>HTTP HOST:         2016.eicar.org</div><div>HTTP REFERER:      <a href="http://2016.eicar.org/85-0-Download.html" style="color:rgb( 153 , 0 , 153 )">http://2016.eicar.org/85-0-Download.html</a></div><div>HTTP USER AGENT:   Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 YaBrowser/19.9.0.1768 Yowser/2.5 Safari/537.36</div><div>FILENAME:          eicar.com</div><div>MAGIC:             EICAR virus test files</div><div>STATE:             CLOSED</div><div>SIZE:              68</div><div><strong>?????? ------> MD5 section doest have</strong><br /><br />this file is doest have MD5 section<br /><br /><br />where is my problem ?<br /><br />please help me</div></div></div></div></div></div>