[Oisf-devel] Suricata file-store not logging md5
Marcos Rodriguez
marcos.e.rodriguez at gmail.com
Mon Apr 30 16:04:39 UTC 2012
On Mon, Apr 30, 2012 at 10:38 AM, Mike Cox <mike.cox52 at gmail.com> wrote:
> I have grabbed the latest version of Suricata from GIT and enabled
> file-store. However, in the meta file, I do not see the md5 sum being
> logged. Of course, if the file is logged too, calculating the md5 on
> the sensor machine (outside of Suricata) is trivial but I though it
> would log the md5 if it was enabled. From my config .yaml file:
>
> - file-store:
> enabled: yes # set to yes to enable
> log-dir: files # directory to store the files
> force-magic: yes # force logging magic on all stored files
> force-md5: yes # force logging of md5 checksums
> #waldo: file.waldo # waldo file to store the file-id across runs
>
> I have the stream reassembly and HTTP request/response body sizes set
> high enough that I am getting all of the file but I don't see the MD5
> sum logged. From the meta file:
>
> TIME: 04/28/2012-03:31:01.457465
> SRC IP: 97.67.101.89
> DST IP: 192.168.5.21
> PROTO: 6
> SRC PORT: 80
> DST PORT: 24593
> HTTP URI:
>
> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
> HTTP HOST: download.windowsupdate.com
> HTTP REFERER: <unknown>
> FILENAME:
>
> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
> MAGIC: PE32+ executable for MS Windows (GUI)
> STATE: CLOSED
> SIZE: 5382
>
> Also, does the filename normally include all the URL?
>
> This is Suricata 1.3dev (rev e6dea5c).
>
> Thanks.
>
> -Mike Cox
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
Hi Mike, et al,
Do you have libnss installed? I believe you need that in order to take
advantage of the md5 calcs.
marcos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120430/468ece76/attachment-0002.html>
More information about the Oisf-devel
mailing list