[Oisf-devel] Suricata file-store not logging md5

Mike Cox mike.cox52 at gmail.com
Mon Apr 30 16:44:19 UTC 2012


Peter,

I do not have JSON logging enabled, just file-store with force-magic
and force-md5.  As you can see, MAGIC is included and it is all files
that do not have the MD5 sum included.

To answer Marcos' question about libnss, I believe it is installed:

[root at SURI2]# locate libnss
/lib/libnss_compat-2.5.so
/lib/libnss_compat.so.2
/lib/libnss_db-2.2.so
/lib/libnss_db.so.2
/lib/libnss_dns-2.5.so
/lib/libnss_dns.so.2
/lib/libnss_files-2.5.so
/lib/libnss_files.so.2
/lib/libnss_hesiod-2.5.so
/lib/libnss_hesiod.so.2
/lib/libnss_ldap-2.5.so
/lib/libnss_ldap.so.2
/lib/libnss_nis-2.5.so
/lib/libnss_nis.so.2
/lib/libnss_nisplus-2.5.so
/lib/libnss_nisplus.so.2
/lib/libnss_winbind.so.2
/lib/libnss_wins.so.2
/usr/lib/libnss3.so
/usr/lib/libnss_compat.so
/usr/lib/libnss_db.so
/usr/lib/libnss_dns.so
/usr/lib/libnss_files.so
/usr/lib/libnss_hesiod.so
/usr/lib/libnss_ldap.so
/usr/lib/libnss_nis.so
/usr/lib/libnss_nisplus.so
/usr/lib/libnss_winbind.so
/usr/lib/libnss_wins.so
/usr/lib/libnssckbi.so
/usr/lib/libnssutil3.so
[root at SURI2 files]# which md5sum
/usr/bin/md5sum

Suricata was configured/installed with:

./configure --enable-gccprotect --enable-profiling --enable-pfring
--with-libpfring-libraries=/usr/local/lib
--with-libpfring-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib
--with-libpcap-includes=/usr/local/include
--with-libhtp-includes=/usr/local/include
--with-libhtp-libraries=/usr/local/lib --prefix=/usr/local/
--sysconfdir=/etc/ --localstatedir=/var/

Thanks.

 -Mike Cox

On Mon, Apr 30, 2012 at 11:03 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
>
> do you have the MD5s in your JSON log file?
>
> and is it just this file that does not have MD5 or all files?
>
> thanks
>
> On Mon, Apr 30, 2012 at 4:38 PM, Mike Cox <mike.cox52 at gmail.com> wrote:
>>
>> I have grabbed the latest version of Suricata from GIT and enabled
>> file-store.  However, in the meta file, I do not see the md5 sum being
>> logged.  Of course, if the file is logged too, calculating the md5 on
>> the sensor machine (outside of Suricata) is trivial but I though it
>> would log the md5 if it was enabled.  From my config .yaml file:
>>
>>  - file-store:
>>     enabled: yes       # set to yes to enable
>>     log-dir: files    # directory to store the files
>>     force-magic: yes   # force logging magic on all stored files
>>     force-md5: yes     # force logging of md5 checksums
>>     #waldo: file.waldo # waldo file to store the file-id across runs
>>
>> I have the stream reassembly and HTTP request/response body sizes set
>> high enough that I am getting all of the file but I don't see the MD5
>> sum logged.  From the meta file:
>>
>> TIME:              04/28/2012-03:31:01.457465
>> SRC IP:            97.67.101.89
>> DST IP:            192.168.5.21
>> PROTO:             6
>> SRC PORT:          80
>> DST PORT:          24593
>> HTTP URI:
>>
>> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
>> HTTP HOST:         download.windowsupdate.com
>> HTTP REFERER:      <unknown>
>> FILENAME:
>>
>> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
>> MAGIC:             PE32+ executable for MS Windows (GUI)
>> STATE:             CLOSED
>> SIZE:              5382
>>
>> Also, does the filename normally include all the URL?
>>
>> This is Suricata 1.3dev (rev e6dea5c).
>>
>> Thanks.
>>
>>  -Mike Cox
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
>
> --
> Regards,
> Peter Manev
>



More information about the Oisf-devel mailing list