[Oisf-users] On the fly MD5 calculation without file store
Peter Manev
petermanev at gmail.com
Sat May 26 14:42:39 UTC 2012
Hi,
Might be a bit late, but just to clarify -
at the moment it appears we have a problem/bug of calculating MD5s in demon
mode ( -D ), that problem does NOT exist if you run Suricata not in demon
mode (ex: suricata -c /etc/suricata/suricata.yaml -i eth0 )
If you would like to calculate just MD5s for everything (without any rules
for the files themselves) - please enable only the JSON output, with
forced MD5s and disable file-store, like this :
(in suricata.yaml)
- file-store:
*enabled: no * # set to yes to enable
log-dir: files # directory to store the files
force-magic: yes # force logging magic on all stored files
force-md5: yes # force logging of md5 checksums
#waldo: file.waldo # waldo file to store the file_id across runs
# output module to log files tracked in a easily parsable json format
- file-log:
* enabled: yes*
filename: files-json.log
append: no
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
force-magic: yes # force logging magic on all logged files
*force-md5: yes* # force logging of md5 checksums
I have updated the wiki page as well(bottom of the page):
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5
thanks
On Sat, May 26, 2012 at 2:15 AM, Seth Hall <seth at icir.org> wrote:
>
> On May 25, 2012, at 3:54 PM, Victor Julien wrote:
>
> > Don't worry about it. I don't expect everyone to follow everything all
> > the time (with exception of a fellow named Seth H of course).
>
>
> Hah! So that I'm not just adding adding noise to your mailing list, I'll
> ask a question too. :)
>
> Do you have any measurements that show how much of a performance impact
> enabling MD5 calculation adds? It's a global setting too, right (all on or
> all off)?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120526/c9e7600c/attachment-0002.html>
More information about the Oisf-users
mailing list