[Oisf-users] trying to get file logging working on 2.0.4

Peter Manev petermanev at gmail.com
Mon Dec 15 09:28:03 UTC 2014 

On Mon, Dec 15, 2014 at 1:26 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> I am trying to get suri to log windows executable files as we are starting to see significant numbers of successful infections from the EK platform and figure that we should grab any executable for submission to AV vendors.
>
> I have a rule:
>
> alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable"; filestore; sid:18; rev:1;)
>
> Do I need to put an exact match for filemagic:?
>
> Would I be better adding filestore: to the policy rules which don’t rely on filemagic.
>
> and from the config:
>
> - outputs:
>  ...
>
>   - file-store:
>     enabled: yes      # set to yes to enable
>     log-dir: files    # directory to store the files
>     force-magic: no   # force logging magic on all stored files
>     force-md5: no     # force logging of md5 checksums
>     waldo: file.waldo # waldo file to store the file_id across runs
>
> The files directory gets created but nothing ever gets logged?
>
> I have file logging turned on and I can see various executable files getting logged.
>
> I assume I need file logging to link the files in the log dir with the download request.
>
> What have I missed?
>
> Russell
>
> PS. I have been working from https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

Can you please try (if you haven't)  -
checksum-validation: no
in the suricata.yaml.

also i would try just that  -
alert http any any -> any any (msg:"FILE magic -- windows";
filemagic:"executable"; filestore; sid:18; rev:1;)
just to simplify and confirm that files are getting logged.

What is your starting line for Suricata - it might be a dir
permissions issue if you are running with dropping privileges but the
file dir is owned by root(or another user)?

Thanks



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list