[Oisf-users] on-the-fly md5 checksum calculation doesn't work on Daemon mode

Bâkır EMRE b4k1r3mr3 at gmail.com
Wed Apr 11 08:41:39 UTC 2012


No suricata running with root user (daemon mode and manuel running )
and all files and directories accessible with root permission
I didn't use "--user" parameter on freebsd. I guess libcap-ng is not
available for freebsd, and also is it possible to use suricata with
different user mode on freebsd?



On Tue, Apr 10, 2012 at 4:26 PM, Martin Holste <mcholste at gmail.com> wrote:
> Sounds like a permissions issue.  Are you running with --user to
> change users after starting up, and does that user have permissions to
> write to the configured directory?
>
> On Tue, Apr 10, 2012 at 7:45 AM, Bâkır EMRE <b4k1r3mr3 at gmail.com> wrote:
>> Hi all
>> I want to use suricata's file extraction feature with on the fly md5
>> cheksum calculation. All files on network extracted with suricata. But
>> when i run suricata with "-D" parameter, md5 checksum calculation is
>> not working.
>>
>> suricata installed from latest git tree  "Suricata 1.3beta1 OS: FreeBSD 9.0"
>>
>> nss and nspr library also installed
>> pkg_info |grep "ns[sp]"
>> ca_root_nss-3.13.3  The root certificate bundle from the Mozilla Project
>> nspr-4.9            A platform-neutral API for system level and libc like funct
>> nss-3.13.3          Libraries to support development of security-enabled applic
>>
>> compiling parameters are :
>> ./configure  \
>> --with-libnss-includes=/usr/local/include/nss/nss/ \
>> --with-libnspr-includes=/usr/local/include/nspr/ \
>> --with-libnspr-libraries=/usr/local/lib/nspr/  \
>> --with-libnss-libraries=/usr/local/lib/nss/ \
>> --with-libpcre-includes=/usr/local/include \
>> --with-libpcre-libraries=/usr/local/lib/  \
>> --enable-pcre-jit --enable-ipfw --enable-profiling
>>
>> And my rule file only contains a rule
>> alert http any any -> any any (msg:"FILE store all"; filestore;
>> sid:10001; rev:1;)
>>
>> ./src/suricata --build-info
>> [100351] 10/4/2012 -- 15:16:35 - (suricata.c:502) <Info>
>> (SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev fbe0206)
>> [100351] 10/4/2012 -- 15:16:35 - (suricata.c:575) <Info>
>> (SCPrintBuildInfo) -- Features: UNITTESTS IPFW PCAP_SET_BUFF
>> LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1
>> HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
>> PCRE_JIT HAVE_NSS PROFILING
>>
>> run suricata as daemon mode
>> suricata -c config.yaml -i bce1 -D
>> [100271] 10/4/2012 -- 15:27:22 - (suricata.c:1171) <Info> (main) --
>> This is Suricata version 1.3dev (rev fbe0206)
>> [100271] 10/4/2012 -- 15:27:22 - (util-cpu.c:171) <Info>
>> (UtilCpuPrintSummary) -- CPUs/cores online: 8
>> [100271] 10/4/2012 -- 15:27:22 - (util-ioctl.c:91) <Info>
>> (GetIfaceMTU) -- Found an MTU of 1500 for 'bce1'
>> [100271] 10/4/2012 -- 15:27:22 - (tmqh-flow.c:76) <Info>
>> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow
>> load balancer
>>
>> files-json file dosn't contain md5 value
>>
>> { "id": 159, "timestamp": "04\/10\/2012-15:31:36.503376", "ipver": 4,
>> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
>> "sp": 80, "dp": 4175, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
>> "www.google.com", "http_referer": "http:\/\/www.google.com\/",
>> "filename": "\/imghp", "magic": "HTML document text", "state":
>> "CLOSED", "stored": true, "size": 16661 }
>>
>> but without -D parameters works perfectly
>>
>> { "id": 139, "timestamp": "04\/10\/2012-15:33:44.082060", "ipver": 4,
>> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
>> "sp": 80, "dp": 4178, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
>> "www.google.com", "http_referer": "http:\/\/www.google.com\/",
>> "filename": "\/imghp", "magic": "HTML document text", "state":
>> "CLOSED", "md5": "6798f92133ba3d3a0aabdf50050ae48a", "stored": true,
>> "size": 16665 }
>>
>> { "id": 141, "timestamp": "04\/10\/2012-15:34:40.831035", "ipver": 4,
>> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
>> "sp": 80, "dp": 4179, "http_uri": "\/webhp?hl=en&tab=iw", "http_host":
>> "www.google.com", "http_referer":
>> "http:\/\/www.google.com\/imghp?hl=en&tab=wi", "filename": "\/webhp",
>> "magic": "HTML document text", "state": "CLOSED", "md5":
>> "041a4dcfd69b3034911073db9bf501e4", "stored": true, "size": 27364 }
>>
>> Best regards
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



More information about the Oisf-users mailing list