[Discussion] Limit files-json logging

• Previous message (by thread): [Discussion] Limit files-json logging
• Next message (by thread): [Discussion] Suricata 2.0rc2 Available!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Please keep the conversation on the list.

On 03/06/2014 11:37 AM, Charlie Jr. wrote:
> Is there a way to correlate the file to the MD5 that triggered the alert?
> All we are getting now is that an alert was triggered for matching one of
> thousands of MD5s.

Both the files-json.log and alert logs will contain the 5 tuple of a
connection: proto, src, dst, sp, dp. That should generally be enough to
match the 2.

Cheers,
Victor

> 
> -----Original Message-----
> From: discussion-bounces at lists.openinfosecfoundation.org
> [mailto:discussion-bounces at lists.openinfosecfoundation.org] On Behalf Of
> Victor Julien
> Sent: Thursday, March 06, 2014 3:18 AM
> To: discussion at lists.openinfosecfoundation.org
> Subject: Re: [Discussion] Limit files-json logging
> 
> On 03/05/2014 08:43 PM, cdevoe57 at nycap.rr.com wrote:
>> We are attempting to set up and use MD5 hash alerting (rules with filemd5
> keywords).  We have set up the alerts and can trigger an alert based on the
> hash of a file. 
>> e.g. alert http any any -> any any (msg: "A known bad hash was 
>> accessed"; filemd5:badmd5s.txt; filestore; classtype:bad-md5; sid:1;
> rev:1;) When we enable the files-json.log in the yaml file, it includes all
> files, not just those that match the rule. Is there a way to only log the
> files which trigger an alert instead of everything?
> 
> No, files-json.log logs all files Suricata sees. There is no way currently
> to make it conditional.
> 
> I think it would make sense to add something like this. Not just for this
> log, also for other non-alert outputs.
> 
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Discussion mailing list
> Discussion at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] Limit files-json logging
• Next message (by thread): [Discussion] Suricata 2.0rc2 Available!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]