[Oisf-users] On the fly MD5 calculation without file store

Victor Julien victor at inliniac.net
Fri May 25 19:33:43 UTC 2012


On 05/25/2012 09:27 PM, Brandon Ganem wrote:
> Hi all,
> Is it possible to do MD5 calculation without creating a rule to store
> the file and storing the file?

Yes, enabling only the file-log output should do this for you.

Cheers,
Victor

> Ideally I'd like to MD5 everything that comes across the wire without
> actually setting off alerts. I am able to get MD5 calculation working
> as per the wiki entry here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5
> 
> relevant lines from suricata.yaml:
> 
>  - file-store:
>      enabled: yes      # set to yes to enable
>      log-dir: files    # Directory to store the files
>      force-magic: yes  # Force logging magic on all stored file
>      force-md5: yes    # Force logging of md5 checksums
>      waldo: file.waldo # waldo file to store the file_id across runs
> 
>  - file-log:
>      enabled: yes      # Json logging
>      filename: files-json.log
>      append: yes       # Append.
>      force-magic: yes  # magic on all files
>      force-md5: yes    # md5sum all files
> 
> I'm running:
> 
> Suricata 1.3dev (rev a0e57f5)
> 
> suricata --build-info
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:502) <Info>
> (SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev a0e57f5)
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:575) <Info>
> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1
> AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1
> HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
> PCRE_JIT HAVE_NSS
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:589) <Info>
> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:591) <Info>
> (SCPrintBuildInfo) -- GCC version 4.5.2, C version 199901
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:597) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:600) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:603) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:606) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:609) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:613) <Info>
> (SCPrintBuildInfo) -- compiled with -fstack-protector
> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:619) <Info>
> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2
> 
> 
> Thank you!
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list