[Oisf-users] trying to get file logging working on 2.0.4

Russell Fulton r.fulton at auckland.ac.nz
Thu Dec 18 23:47:54 UTC 2014


On 19/12/2014, at 12:34 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> 
> On 15/12/2014, at 10:28 pm, Peter Manev <petermanev at gmail.com> wrote:
>> 
>> Can you please try (if you haven't)  -
>> checksum-validation: no
>> in the suricata.yaml.
> 
> Was set to no
> 
>> 
>> also i would try just that  -
>> alert http any any -> any any (msg:"FILE magic -- windows";
>> filemagic:"executable"; filestore; sid:18; rev:1;)
>> just to simplify and confirm that files are getting logged.
> 
> done.
> 
>> 
>> What is your starting line for Suricata - it might be a dir
>> permissions issue if you are running with dropping privileges but the
>> file dir is owned by root(or another user)?
> 
> sensors  32664  203  3.7 2673684 1849120 ?     Ssl  12:00   1:50 /usr/bin/suricata -D -c /home/sensors/dmzo/conf/suricata.conf --af-packet --pid /home/sensors/dmzo/run/suricata.pid
> 
> sensors at secmonprd01:~$ ls -ld data/dmzo/files
> drwxrwxr-x 2 sensors sensors 4096 Dec 19 12:05 data/dmzo/files
> 
> which seems kosher.
> 
> removing run_as: section so we don’t drop privs  — still not seeing files being logged.
> 

one more data point.

I looked in the fast.log and the rule is firing — so it is an issue with storing the files….

Added full path to file-store:log-dir and still no joy

will have a play with eve

> Russell
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/




More information about the Oisf-users mailing list