[Oisf-users] trying to get file logging working on 2.0.4

Russell Fulton r.fulton at auckland.ac.nz
Mon Dec 15 00:26:14 UTC 2014


I am trying to get suri to log windows executable files as we are starting to see significant numbers of successful infections from the EK platform and figure that we should grab any executable for submission to AV vendors.

I have a rule:

alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable"; filestore; sid:18; rev:1;)

Do I need to put an exact match for filemagic:?

Would I be better adding filestore: to the policy rules which don’t rely on filemagic.

and from the config:

- outputs:

  - file-store:
    enabled: yes      # set to yes to enable                                                                                                            
    log-dir: files    # directory to store the files
    force-magic: no   # force logging magic on all stored files
    force-md5: no     # force logging of md5 checksums
    waldo: file.waldo # waldo file to store the file_id across runs                                                                                                                       

The files directory gets created but nothing ever gets logged?

I have file logging turned on and I can see various executable files getting logged.

I assume I need file logging to link the files in the log dir with the download request.

What have I missed?


PS. I have been working from https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction

More information about the Oisf-users mailing list