[Oisf-devel] Suricata file-store not logging md5
Mike Cox
mike.cox52 at gmail.com
Mon Apr 30 14:38:23 UTC 2012
I have grabbed the latest version of Suricata from GIT and enabled
file-store. However, in the meta file, I do not see the md5 sum being
logged. Of course, if the file is logged too, calculating the md5 on
the sensor machine (outside of Suricata) is trivial but I though it
would log the md5 if it was enabled. From my config .yaml file:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: yes # force logging magic on all stored files
force-md5: yes # force logging of md5 checksums
#waldo: file.waldo # waldo file to store the file-id across runs
I have the stream reassembly and HTTP request/response body sizes set
high enough that I am getting all of the file but I don't see the MD5
sum logged. From the meta file:
TIME: 04/28/2012-03:31:01.457465
SRC IP: 97.67.101.89
DST IP: 192.168.5.21
PROTO: 6
SRC PORT: 80
DST PORT: 24593
HTTP URI:
/msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
HTTP HOST: download.windowsupdate.com
HTTP REFERER: <unknown>
FILENAME:
/msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
MAGIC: PE32+ executable for MS Windows (GUI)
STATE: CLOSED
SIZE: 5382
Also, does the filename normally include all the URL?
This is Suricata 1.3dev (rev e6dea5c).
Thanks.
-Mike Cox
More information about the Oisf-devel
mailing list