[Discussion] Limit files-json logging

• Previous message (by thread): [Discussion] Limit files-json logging
• Next message (by thread): [Discussion] Limit files-json logging
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/05/2014 08:43 PM, cdevoe57 at nycap.rr.com wrote:
> We are attempting to set up and use MD5 hash alerting (rules with filemd5 keywords).  We have set up the alerts and can trigger an alert based on the hash of a file. 
> e.g. alert http any any -> any any (msg: "A known bad hash was accessed"; filemd5:badmd5s.txt; filestore; classtype:bad-md5; sid:1; rev:1;)
> When we enable the files-json.log in the yaml file, it includes all files, not just those that match the rule. Is there a way to only log the files which trigger an alert instead of everything?

No, files-json.log logs all files Suricata sees. There is no way
currently to make it conditional.

I think it would make sense to add something like this. Not just for
this log, also for other non-alert outputs.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] Limit files-json logging
• Next message (by thread): [Discussion] Limit files-json logging
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]