[Oisf-users] On the fly MD5 calculation without file store

Brandon Ganem brandonganem+oisf at gmail.com
Fri May 25 19:27:38 UTC 2012 

Hi all,
Is it possible to do MD5 calculation without creating a rule to store
the file and storing the file?
Ideally I'd like to MD5 everything that comes across the wire without
actually setting off alerts. I am able to get MD5 calculation working
as per the wiki entry here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5

relevant lines from suricata.yaml:

 - file-store:
     enabled: yes      # set to yes to enable
     log-dir: files    # Directory to store the files
     force-magic: yes  # Force logging magic on all stored file
     force-md5: yes    # Force logging of md5 checksums
     waldo: file.waldo # waldo file to store the file_id across runs

 - file-log:
     enabled: yes      # Json logging
     filename: files-json.log
     append: yes       # Append.
     force-magic: yes  # magic on all files
     force-md5: yes    # md5sum all files


I'm running:

Suricata 1.3dev (rev a0e57f5)

suricata --build-info
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:502) <Info>
(SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev a0e57f5)
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:575) <Info>
(SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1
AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1
HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
PCRE_JIT HAVE_NSS
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:589) <Info>
(SCPrintBuildInfo) -- 64-bits, Little-endian architecture
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:591) <Info>
(SCPrintBuildInfo) -- GCC version 4.5.2, C version 199901
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:597) <Info>
(SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:600) <Info>
(SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:603) <Info>
(SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:606) <Info>
(SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:609) <Info>
(SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:613) <Info>
(SCPrintBuildInfo) -- compiled with -fstack-protector
[30568] 25/5/2012 -- 15:05:11 - (suricata.c:619) <Info>
(SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2


Thank you!

More information about the Oisf-users mailing list