[Oisf-users] Question about filestore/MD5 based alerting

Peter Manev petermanev at gmail.com
Thu Mar 6 07:33:57 UTC 2014

On Wed, Mar 5, 2014 at 8:38 PM, Adnan Baykal <abaykal at gmail.com> wrote:
> When configuring suricata with the following options:
> - file-store:
>        enabled: yes       # set to yes to enable
>        log-dir: files     # directory to store the files
>        force-magic: yes   # force logging magic on all stored files
>        force-md5: yes     # force logging of md5 checksums
>        #waldo: file.waldo # waldo file to store the file_id across runs
>  - file-log:
>    enabled: yes
>    filename: files-json.log
>    append: no
> files-json.log file contains an entry for each file downloaded instead of
> only those files that are alerted on.
> any one using suricata for md5 based alerting? if so, do you have any
> recommendations on how to do this efficiently while keeping as much info as
> possible on the alert?

This is the intended behaviour, as described here(bottom of the page):

If you would like to store only the file transactions that generate
and alert you would have to use the filestore keyword, as described

some more info about file keywords:

thank you

Peter Manev

More information about the Oisf-users mailing list