[Oisf-users] on-the-fly md5 checksum calculation doesn't work on Daemon mode

Tue Apr 10 13:26:26 UTC 2012

Sounds like a permissions issue.  Are you running with --user to
change users after starting up, and does that user have permissions to
write to the configured directory?

On Tue, Apr 10, 2012 at 7:45 AM, Bâkır EMRE <b4k1r3mr3 at gmail.com> wrote:
> Hi all
> I want to use suricata's file extraction feature with on the fly md5
> cheksum calculation. All files on network extracted with suricata. But
> when i run suricata with "-D" parameter, md5 checksum calculation is
> not working.
>
> suricata installed from latest git tree  "Suricata 1.3beta1 OS: FreeBSD 9.0"
>
> nss and nspr library also installed
> pkg_info |grep "ns[sp]"
> ca_root_nss-3.13.3  The root certificate bundle from the Mozilla Project
> nspr-4.9            A platform-neutral API for system level and libc like funct
> nss-3.13.3          Libraries to support development of security-enabled applic
>
> compiling parameters are :
> ./configure  \
> --with-libnss-includes=/usr/local/include/nss/nss/ \
> --with-libnspr-includes=/usr/local/include/nspr/ \
> --with-libnspr-libraries=/usr/local/lib/nspr/  \
> --with-libnss-libraries=/usr/local/lib/nss/ \
> --with-libpcre-includes=/usr/local/include \
> --with-libpcre-libraries=/usr/local/lib/  \
> --enable-pcre-jit --enable-ipfw --enable-profiling
>
> And my rule file only contains a rule
> alert http any any -> any any (msg:"FILE store all"; filestore;
> sid:10001; rev:1;)
>
> ./src/suricata --build-info
> [100351] 10/4/2012 -- 15:16:35 - (suricata.c:502) <Info>
> (SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev fbe0206)
> [100351] 10/4/2012 -- 15:16:35 - (suricata.c:575) <Info>
> (SCPrintBuildInfo) -- Features: UNITTESTS IPFW PCAP_SET_BUFF
> LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1
> HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
> PCRE_JIT HAVE_NSS PROFILING
>
> run suricata as daemon mode
> suricata -c config.yaml -i bce1 -D
> [100271] 10/4/2012 -- 15:27:22 - (suricata.c:1171) <Info> (main) --
> This is Suricata version 1.3dev (rev fbe0206)
> [100271] 10/4/2012 -- 15:27:22 - (util-cpu.c:171) <Info>
> (UtilCpuPrintSummary) -- CPUs/cores online: 8
> [100271] 10/4/2012 -- 15:27:22 - (util-ioctl.c:91) <Info>
> (GetIfaceMTU) -- Found an MTU of 1500 for 'bce1'
> [100271] 10/4/2012 -- 15:27:22 - (tmqh-flow.c:76) <Info>
> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow
> load balancer
>
> files-json file dosn't contain md5 value
>
> { "id": 159, "timestamp": "04\/10\/2012-15:31:36.503376", "ipver": 4,
> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
> "sp": 80, "dp": 4175, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
> "www.google.com", "http_referer": "http:\/\/www.google.com\/",
> "filename": "\/imghp", "magic": "HTML document text", "state":
> "CLOSED", "stored": true, "size": 16661 }
>
> but without -D parameters works perfectly
>
> { "id": 139, "timestamp": "04\/10\/2012-15:33:44.082060", "ipver": 4,
> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
> "sp": 80, "dp": 4178, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
> "www.google.com", "http_referer": "http:\/\/www.google.com\/",
> "filename": "\/imghp", "magic": "HTML document text", "state":
> "CLOSED", "md5": "6798f92133ba3d3a0aabdf50050ae48a", "stored": true,
> "size": 16665 }
>
> { "id": 141, "timestamp": "04\/10\/2012-15:34:40.831035", "ipver": 4,
> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
> "sp": 80, "dp": 4179, "http_uri": "\/webhp?hl=en&tab=iw", "http_host":
> "www.google.com", "http_referer":
> "http:\/\/www.google.com\/imghp?hl=en&tab=wi", "filename": "\/webhp",
> "magic": "HTML document text", "state": "CLOSED", "md5":
> "041a4dcfd69b3034911073db9bf501e4", "stored": true, "size": 27364 }
>
> Best regards
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users