[Oisf-users] On the fly MD5 calculation without file store

Peter Manev petermanev at gmail.com
Sat May 26 14:42:39 UTC 2012


Hi,
Might be a  bit late, but just to clarify -
at the moment it appears we have a problem/bug of calculating MD5s in demon
mode ( -D ), that problem does NOT exist if you run Suricata not in demon
mode (ex: suricata -c /etc/suricata/suricata.yaml -i eth0 )

If you would like to calculate just MD5s for everything (without any rules
for the files themselves)  - please enable only the JSON output, with
forced MD5s and disable file-store, like this :
(in suricata.yaml)

  - file-store:
      *enabled: no *      # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: yes   # force logging magic on all stored files
      force-md5: yes     # force logging of md5 checksums
      #waldo: file.waldo # waldo file to store the file_id across runs

  # output module to log files tracked in a easily parsable json format
  - file-log:
     * enabled: yes*
      filename: files-json.log
      append: no
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

      force-magic: yes   # force logging magic on all logged files
      *force-md5: yes*     # force logging of md5 checksums



I have updated the wiki page as well(bottom of the page):

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5

thanks

On Sat, May 26, 2012 at 2:15 AM, Seth Hall <seth at icir.org> wrote:

>
> On May 25, 2012, at 3:54 PM, Victor Julien wrote:
>
> > Don't worry about it. I don't expect everyone to follow everything all
> > the time (with exception of a fellow named Seth H of course).
>
>
> Hah!  So that I'm not just adding adding noise to your mailing list, I'll
> ask a question too. :)
>
> Do you have any measurements that show how much of a performance impact
> enabling MD5 calculation adds?  It's a global setting too, right (all on or
> all off)?
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120526/c9e7600c/attachment-0002.html>


More information about the Oisf-users mailing list