[Oisf-users] On the fly MD5 calculation without file store

Victor Julien victor at inliniac.net
Fri May 25 19:54:44 UTC 2012 

On 05/25/2012 09:44 PM, Brandon Ganem wrote:
> Victor, Making that change doesn't appear to change anything when invoking -D.
> 
> I remember somebody saying that MD5's were not logged with -D mode, as
> such I tested it and it works without -D. My apologies for posting to
> the mailing list, Should have checked redmine first.

Don't worry about it. I don't expect everyone to follow everything all
the time (with exception of a fellow named Seth H of course).

> For anyone that is interested, the redmine link is:
> https://redmine.openinfosecfoundation.org/issues/449

Does the log not work at all for you with -D or only the md5 part?

Cheers,
Victor

> Thanks for the fast response Victor, keep up the great work.
> 
> On Fri, May 25, 2012 at 3:33 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 05/25/2012 09:27 PM, Brandon Ganem wrote:
>>> Hi all,
>>> Is it possible to do MD5 calculation without creating a rule to store
>>> the file and storing the file?
>>
>> Yes, enabling only the file-log output should do this for you.
>>
>> Cheers,
>> Victor
>>
>>> Ideally I'd like to MD5 everything that comes across the wire without
>>> actually setting off alerts. I am able to get MD5 calculation working
>>> as per the wiki entry here:
>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5
>>>
>>> relevant lines from suricata.yaml:
>>>
>>>  - file-store:
>>>      enabled: yes      # set to yes to enable
>>>      log-dir: files    # Directory to store the files
>>>      force-magic: yes  # Force logging magic on all stored file
>>>      force-md5: yes    # Force logging of md5 checksums
>>>      waldo: file.waldo # waldo file to store the file_id across runs
>>>
>>>  - file-log:
>>>      enabled: yes      # Json logging
>>>      filename: files-json.log
>>>      append: yes       # Append.
>>>      force-magic: yes  # magic on all files
>>>      force-md5: yes    # md5sum all files
>>>
>>> I'm running:
>>>
>>> Suricata 1.3dev (rev a0e57f5)
>>>
>>> suricata --build-info
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:502) <Info>
>>> (SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev a0e57f5)
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:575) <Info>
>>> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1
>>> AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1
>>> HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
>>> PCRE_JIT HAVE_NSS
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:589) <Info>
>>> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:591) <Info>
>>> (SCPrintBuildInfo) -- GCC version 4.5.2, C version 199901
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:597) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:600) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:603) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:606) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:609) <Info>
>>> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:613) <Info>
>>> (SCPrintBuildInfo) -- compiled with -fstack-protector
>>> [30568] 25/5/2012 -- 15:05:11 - (suricata.c:619) <Info>
>>> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2
>>>
>>>
>>> Thank you!
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list