[Oisf-users] trying to get file logging working on 2.0.4

Peter Manev petermanev at gmail.com
Sat Dec 20 17:07:00 UTC 2014


On Fri, Dec 19, 2014 at 12:47 AM, Russell Fulton
<r.fulton at auckland.ac.nz> wrote:
> On 19/12/2014, at 12:34 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
>>
>> On 15/12/2014, at 10:28 pm, Peter Manev <petermanev at gmail.com> wrote:
>>>
>>> Can you please try (if you haven't)  -
>>> checksum-validation: no
>>> in the suricata.yaml.
>>
>> Was set to no
>>
>>>
>>> also i would try just that  -
>>> alert http any any -> any any (msg:"FILE magic -- windows";
>>> filemagic:"executable"; filestore; sid:18; rev:1;)
>>> just to simplify and confirm that files are getting logged.
>>
>> done.
>>
>>>
>>> What is your starting line for Suricata - it might be a dir
>>> permissions issue if you are running with dropping privileges but the
>>> file dir is owned by root(or another user)?
>>
>> sensors  32664  203  3.7 2673684 1849120 ?     Ssl  12:00   1:50 /usr/bin/suricata -D -c /home/sensors/dmzo/conf/suricata.conf --af-packet --pid /home/sensors/dmzo/run/suricata.pid
>>
>> sensors at secmonprd01:~$ ls -ld data/dmzo/files
>> drwxrwxr-x 2 sensors sensors 4096 Dec 19 12:05 data/dmzo/files
>>
>> which seems kosher.
>>
>> removing run_as: section so we don’t drop privs  — still not seeing files being logged.
>>
>
> one more data point.
>
> I looked in the fast.log and the rule is firing — so it is an issue with storing the files….
>
> Added full path to file-store:log-dir and still no joy
>
> will have a play with eve
>
>> Russell
>>


What are your settings with regards to - stream.reassembly.depth?
What are your settings in the libhtp section of yaml- mainly
"request-body-limit: " and "response-body-limit: "?
What is your "default-log-dir" setting in yaml?
What is your "file-store:...log-dir:" setting ?

Are there any err msg in the suricata.log ?

Thanks


-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list