[Oisf-users] on-the-fly md5 checksum calculation doesn't work on Daemon mode

Victor Julien victor at inliniac.net
Thu Apr 12 15:43:36 UTC 2012 

On 04/11/2012 10:41 AM, Bâkır EMRE wrote:
> No suricata running with root user (daemon mode and manuel running )
> and all files and directories accessible with root permission
> I didn't use "--user" parameter on freebsd. I guess libcap-ng is not
> available for freebsd, and also is it possible to use suricata with
> different user mode on freebsd?

Can you open a bug ticket for this?

Thanks,
Victor

> 
> 
> On Tue, Apr 10, 2012 at 4:26 PM, Martin Holste <mcholste at gmail.com> wrote:
>> Sounds like a permissions issue.  Are you running with --user to
>> change users after starting up, and does that user have permissions to
>> write to the configured directory?
>>
>> On Tue, Apr 10, 2012 at 7:45 AM, Bâkır EMRE <b4k1r3mr3 at gmail.com> wrote:
>>> Hi all
>>> I want to use suricata's file extraction feature with on the fly md5
>>> cheksum calculation. All files on network extracted with suricata. But
>>> when i run suricata with "-D" parameter, md5 checksum calculation is
>>> not working.
>>>
>>> suricata installed from latest git tree  "Suricata 1.3beta1 OS: FreeBSD 9.0"
>>>
>>> nss and nspr library also installed
>>> pkg_info |grep "ns[sp]"
>>> ca_root_nss-3.13.3  The root certificate bundle from the Mozilla Project
>>> nspr-4.9            A platform-neutral API for system level and libc like funct
>>> nss-3.13.3          Libraries to support development of security-enabled applic
>>>
>>> compiling parameters are :
>>> ./configure  \
>>> --with-libnss-includes=/usr/local/include/nss/nss/ \
>>> --with-libnspr-includes=/usr/local/include/nspr/ \
>>> --with-libnspr-libraries=/usr/local/lib/nspr/  \
>>> --with-libnss-libraries=/usr/local/lib/nss/ \
>>> --with-libpcre-includes=/usr/local/include \
>>> --with-libpcre-libraries=/usr/local/lib/  \
>>> --enable-pcre-jit --enable-ipfw --enable-profiling
>>>
>>> And my rule file only contains a rule
>>> alert http any any -> any any (msg:"FILE store all"; filestore;
>>> sid:10001; rev:1;)
>>>
>>> ./src/suricata --build-info
>>> [100351] 10/4/2012 -- 15:16:35 - (suricata.c:502) <Info>
>>> (SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev fbe0206)
>>> [100351] 10/4/2012 -- 15:16:35 - (suricata.c:575) <Info>
>>> (SCPrintBuildInfo) -- Features: UNITTESTS IPFW PCAP_SET_BUFF
>>> LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1
>>> HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
>>> PCRE_JIT HAVE_NSS PROFILING
>>>
>>> run suricata as daemon mode
>>> suricata -c config.yaml -i bce1 -D
>>> [100271] 10/4/2012 -- 15:27:22 - (suricata.c:1171) <Info> (main) --
>>> This is Suricata version 1.3dev (rev fbe0206)
>>> [100271] 10/4/2012 -- 15:27:22 - (util-cpu.c:171) <Info>
>>> (UtilCpuPrintSummary) -- CPUs/cores online: 8
>>> [100271] 10/4/2012 -- 15:27:22 - (util-ioctl.c:91) <Info>
>>> (GetIfaceMTU) -- Found an MTU of 1500 for 'bce1'
>>> [100271] 10/4/2012 -- 15:27:22 - (tmqh-flow.c:76) <Info>
>>> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow
>>> load balancer
>>>
>>> files-json file dosn't contain md5 value
>>>
>>> { "id": 159, "timestamp": "04\/10\/2012-15:31:36.503376", "ipver": 4,
>>> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
>>> "sp": 80, "dp": 4175, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
>>> "www.google.com", "http_referer": "http:\/\/www.google.com\/",
>>> "filename": "\/imghp", "magic": "HTML document text", "state":
>>> "CLOSED", "stored": true, "size": 16661 }
>>>
>>> but without -D parameters works perfectly
>>>
>>> { "id": 139, "timestamp": "04\/10\/2012-15:33:44.082060", "ipver": 4,
>>> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
>>> "sp": 80, "dp": 4178, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
>>> "www.google.com", "http_referer": "http:\/\/www.google.com\/",
>>> "filename": "\/imghp", "magic": "HTML document text", "state":
>>> "CLOSED", "md5": "6798f92133ba3d3a0aabdf50050ae48a", "stored": true,
>>> "size": 16665 }
>>>
>>> { "id": 141, "timestamp": "04\/10\/2012-15:34:40.831035", "ipver": 4,
>>> "srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
>>> "sp": 80, "dp": 4179, "http_uri": "\/webhp?hl=en&tab=iw", "http_host":
>>> "www.google.com", "http_referer":
>>> "http:\/\/www.google.com\/imghp?hl=en&tab=wi", "filename": "\/webhp",
>>> "magic": "HTML document text", "state": "CLOSED", "md5":
>>> "041a4dcfd69b3034911073db9bf501e4", "stored": true, "size": 27364 }
>>>
>>> Best regards
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list