[Oisf-users] on-the-fly md5 checksum calculation doesn't work on Daemon mode

Bâkır EMRE b4k1r3mr3 at gmail.com
Tue Apr 10 12:45:38 UTC 2012


Hi all
I want to use suricata's file extraction feature with on the fly md5
cheksum calculation. All files on network extracted with suricata. But
when i run suricata with "-D" parameter, md5 checksum calculation is
not working.

suricata installed from latest git tree  "Suricata 1.3beta1 OS: FreeBSD 9.0"

nss and nspr library also installed
pkg_info |grep "ns[sp]"
ca_root_nss-3.13.3  The root certificate bundle from the Mozilla Project
nspr-4.9            A platform-neutral API for system level and libc like funct
nss-3.13.3          Libraries to support development of security-enabled applic

compiling parameters are :
./configure  \
--with-libnss-includes=/usr/local/include/nss/nss/ \
--with-libnspr-includes=/usr/local/include/nspr/ \
--with-libnspr-libraries=/usr/local/lib/nspr/  \
--with-libnss-libraries=/usr/local/lib/nss/ \
--with-libpcre-includes=/usr/local/include \
--with-libpcre-libraries=/usr/local/lib/  \
--enable-pcre-jit --enable-ipfw --enable-profiling

And my rule file only contains a rule
alert http any any -> any any (msg:"FILE store all"; filestore;
sid:10001; rev:1;)

./src/suricata --build-info
[100351] 10/4/2012 -- 15:16:35 - (suricata.c:502) <Info>
(SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev fbe0206)
[100351] 10/4/2012 -- 15:16:35 - (suricata.c:575) <Info>
(SCPrintBuildInfo) -- Features: UNITTESTS IPFW PCAP_SET_BUFF
LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1
HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
PCRE_JIT HAVE_NSS PROFILING

run suricata as daemon mode
suricata -c config.yaml -i bce1 -D
[100271] 10/4/2012 -- 15:27:22 - (suricata.c:1171) <Info> (main) --
This is Suricata version 1.3dev (rev fbe0206)
[100271] 10/4/2012 -- 15:27:22 - (util-cpu.c:171) <Info>
(UtilCpuPrintSummary) -- CPUs/cores online: 8
[100271] 10/4/2012 -- 15:27:22 - (util-ioctl.c:91) <Info>
(GetIfaceMTU) -- Found an MTU of 1500 for 'bce1'
[100271] 10/4/2012 -- 15:27:22 - (tmqh-flow.c:76) <Info>
(TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow
load balancer

files-json file dosn't contain md5 value

{ "id": 159, "timestamp": "04\/10\/2012-15:31:36.503376", "ipver": 4,
"srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
"sp": 80, "dp": 4175, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
"www.google.com", "http_referer": "http:\/\/www.google.com\/",
"filename": "\/imghp", "magic": "HTML document text", "state":
"CLOSED", "stored": true, "size": 16661 }

but without -D parameters works perfectly

{ "id": 139, "timestamp": "04\/10\/2012-15:33:44.082060", "ipver": 4,
"srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
"sp": 80, "dp": 4178, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
"www.google.com", "http_referer": "http:\/\/www.google.com\/",
"filename": "\/imghp", "magic": "HTML document text", "state":
"CLOSED", "md5": "6798f92133ba3d3a0aabdf50050ae48a", "stored": true,
"size": 16665 }

{ "id": 141, "timestamp": "04\/10\/2012-15:34:40.831035", "ipver": 4,
"srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
"sp": 80, "dp": 4179, "http_uri": "\/webhp?hl=en&tab=iw", "http_host":
"www.google.com", "http_referer":
"http:\/\/www.google.com\/imghp?hl=en&tab=wi", "filename": "\/webhp",
"magic": "HTML document text", "state": "CLOSED", "md5":
"041a4dcfd69b3034911073db9bf501e4", "stored": true, "size": 27364 }

Best regards



More information about the Oisf-users mailing list