[Oisf-users] trying to get file logging working on 2.0.4
Russell Fulton
r.fulton at auckland.ac.nz
Mon Dec 15 00:26:14 UTC 2014
Hi
I am trying to get suri to log windows executable files as we are starting to see significant numbers of successful infections from the EK platform and figure that we should grab any executable for submission to AV vendors.
I have a rule:
alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable"; filestore; sid:18; rev:1;)
Do I need to put an exact match for filemagic:?
Would I be better adding filestore: to the policy rules which don’t rely on filemagic.
and from the config:
- outputs:
...
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
waldo: file.waldo # waldo file to store the file_id across runs
The files directory gets created but nothing ever gets logged?
I have file logging turned on and I can see various executable files getting logged.
I assume I need file logging to link the files in the log dir with the download request.
What have I missed?
Russell
PS. I have been working from https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
More information about the Oisf-users
mailing list