[Oisf-devel] Suricata file-store not logging md5

Mike Cox mike.cox52 at gmail.com
Mon Apr 30 16:44:19 UTC 2012


I do not have JSON logging enabled, just file-store with force-magic
and force-md5.  As you can see, MAGIC is included and it is all files
that do not have the MD5 sum included.

To answer Marcos' question about libnss, I believe it is installed:

[root at SURI2]# locate libnss
[root at SURI2 files]# which md5sum

Suricata was configured/installed with:

./configure --enable-gccprotect --enable-profiling --enable-pfring
--with-libhtp-libraries=/usr/local/lib --prefix=/usr/local/
--sysconfdir=/etc/ --localstatedir=/var/


 -Mike Cox

On Mon, Apr 30, 2012 at 11:03 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
> do you have the MD5s in your JSON log file?
> and is it just this file that does not have MD5 or all files?
> thanks
> On Mon, Apr 30, 2012 at 4:38 PM, Mike Cox <mike.cox52 at gmail.com> wrote:
>> I have grabbed the latest version of Suricata from GIT and enabled
>> file-store.  However, in the meta file, I do not see the md5 sum being
>> logged.  Of course, if the file is logged too, calculating the md5 on
>> the sensor machine (outside of Suricata) is trivial but I though it
>> would log the md5 if it was enabled.  From my config .yaml file:
>>  - file-store:
>>     enabled: yes       # set to yes to enable
>>     log-dir: files    # directory to store the files
>>     force-magic: yes   # force logging magic on all stored files
>>     force-md5: yes     # force logging of md5 checksums
>>     #waldo: file.waldo # waldo file to store the file-id across runs
>> I have the stream reassembly and HTTP request/response body sizes set
>> high enough that I am getting all of the file but I don't see the MD5
>> sum logged.  From the meta file:
>> TIME:              04/28/2012-03:31:01.457465
>> SRC IP:  
>> DST IP:  
>> PROTO:             6
>> SRC PORT:          80
>> DST PORT:          24593
>> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
>> HTTP HOST:         download.windowsupdate.com
>> HTTP REFERER:      <unknown>
>> /msdownload/update/software/defu/2012/04/am_delta_patch_1.125.561.0_07370866e162114165aa31f821c0ef655ef41117.exe
>> MAGIC:             PE32+ executable for MS Windows (GUI)
>> STATE:             CLOSED
>> SIZE:              5382
>> Also, does the filename normally include all the URL?
>> This is Suricata 1.3dev (rev e6dea5c).
>> Thanks.
>>  -Mike Cox
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> --
> Regards,
> Peter Manev

More information about the Oisf-devel mailing list