[Oisf-users] Questions about MD5 hashes and FileStore

[Adnan Baykal]

Just recently, I started playing with the file extraction and MD5 logging
features and had couple questions.

1. is it possible to only log those transactions in the files-json.log
where the stream contains a windows executable? (without actually storing
the file)

2. is it possible to log those entries in the files-json.log file where md5
matches a given list? if we enable file store and have a rule filestore;
filemd5:badmd5s.txt, and we enable the json logging, it seems that it logs
everything, including those files that are not in the md5 list. we played
with this a lot and could not get this to work.

3. when files-json.log is enabled and file store is turned off, it logs a
lot of information but it appears that it misses some communications. I
have been downloading a file from a website over and over again and it
never showed up in the logs.

4. when doing md5 blacklisting, is there any way to figure out exactly what
md5 triggered the alert? it seems it only says "[whatever we put in the
message"] in the rule and if we have 100K md5s, it is kind of hard to
figure out which one triggered it.

if anyone who has an experience with this features can answer any of these
questions, I would really appreciate it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140306/7e75df99/attachment.html>