[Oisf-users] Question about filestore/MD5 based alerting

[Adnan Baykal]

When configuring suricata with the following options:

- file-store:
       enabled: yes       # set to yes to enable
       log-dir: files     # directory to store the files
       force-magic: yes   # force logging magic on all stored files
       force-md5: yes     # force logging of md5 checksums
       #waldo: file.waldo # waldo file to store the file_id across runs

 - file-log:
   enabled: yes
   filename: files-json.log
   append: no



files-json.log file contains an entry for each file downloaded instead of
only those files that are alerted on.

any one using suricata for md5 based alerting? if so, do you have any
recommendations on how to do this efficiently while keeping as much info as
possible on the alert?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140305/0a66ed15/attachment.html>