[Oisf-users] Question about filestore/MD5 based alerting
Peter Manev
petermanev at gmail.com
Thu Mar 6 07:33:57 UTC 2014
On Wed, Mar 5, 2014 at 8:38 PM, Adnan Baykal <abaykal at gmail.com> wrote:
> When configuring suricata with the following options:
>
> - file-store:
> enabled: yes # set to yes to enable
> log-dir: files # directory to store the files
> force-magic: yes # force logging magic on all stored files
> force-md5: yes # force logging of md5 checksums
> #waldo: file.waldo # waldo file to store the file_id across runs
>
> - file-log:
> enabled: yes
> filename: files-json.log
> append: no
>
>
>
> files-json.log file contains an entry for each file downloaded instead of
> only those files that are alerted on.
>
> any one using suricata for md5 based alerting? if so, do you have any
> recommendations on how to do this efficiently while keeping as much info as
> possible on the alert?
>
This is the intended behaviour, as described here(bottom of the page):
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5
If you would like to store only the file transactions that generate
and alert you would have to use the filestore keyword, as described
here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
some more info about file keywords:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords
thank you
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list