[Oisf-users] On the fly MD5 calculation without file store
Victor Julien
victor at inliniac.net
Fri May 25 19:33:43 UTC 2012
On 05/25/2012 09:27 PM, Brandon Ganem wrote:
> Hi all,
> Is it possible to do MD5 calculation without creating a rule to store
> the file and storing the file?
Yes, enabling only the file-log output should do this for you.
Cheers,
Victor
> Ideally I'd like to MD5 everything that comes across the wire without
> actually setting off alerts. I am able to get MD5 calculation working
> as per the wiki entry here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5
>
> relevant lines from suricata.yaml:
>
> - file-store:
> enabled: yes # set to yes to enable
> log-dir: files # Directory to store the files
> force-magic: yes # Force logging magic on all stored file
> force-md5: yes # Force logging of md5 checksums
> waldo: file.waldo # waldo file to store the file_id across runs
>
> - file-log:
> enabled: yes # Json logging
> filename: files-json.log
> append: yes # Append.
> force-magic: yes # magic on all files
> force-md5: yes # md5sum all files
>
> I'm running:
>
> Suricata 1.3dev (rev a0e57f5)
>
> suricata --build-info
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:502) <Info>
> (SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev a0e57f5)
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:575) <Info>
> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1
> AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1
> HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
> PCRE_JIT HAVE_NSS
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:589) <Info>
> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:591) <Info>
> (SCPrintBuildInfo) -- GCC version 4.5.2, C version 199901
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:597) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:600) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:603) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:606) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:609) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:613) <Info>
> (SCPrintBuildInfo) -- compiled with -fstack-protector
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:619) <Info>
> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2
>
>
> Thank you!
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list