[Oisf-users] trying to get file logging working on 2.0.4

Russell Fulton r.fulton at auckland.ac.nz
Thu Dec 18 23:34:37 UTC 2014


On 15/12/2014, at 10:28 pm, Peter Manev <petermanev at gmail.com> wrote:
> 
> Can you please try (if you haven't)  -
> checksum-validation: no
> in the suricata.yaml.

Was set to no

> 
> also i would try just that  -
> alert http any any -> any any (msg:"FILE magic -- windows";
> filemagic:"executable"; filestore; sid:18; rev:1;)
> just to simplify and confirm that files are getting logged.

done.

> 
> What is your starting line for Suricata - it might be a dir
> permissions issue if you are running with dropping privileges but the
> file dir is owned by root(or another user)?

sensors  32664  203  3.7 2673684 1849120 ?     Ssl  12:00   1:50 /usr/bin/suricata -D -c /home/sensors/dmzo/conf/suricata.conf --af-packet --pid /home/sensors/dmzo/run/suricata.pid

sensors at secmonprd01:~$ ls -ld data/dmzo/files
drwxrwxr-x 2 sensors sensors 4096 Dec 19 12:05 data/dmzo/files

which seems kosher.

removing run_as: section so we don’t drop privs  — still not seeing files being logged.

Russell






More information about the Oisf-users mailing list