[Oisf-users] Questions about MD5 hashes and FileStore

[Victor Julien]

On 03/06/2014 01:26 PM, Adnan Baykal wrote:
> Just recently, I started playing with the file extraction and MD5
> logging features and had couple questions.
> 
> 1. is it possible to only log those transactions in the files-json.log
> where the stream contains a windows executable? (without actually
> storing the file)
> 
> 2. is it possible to log those entries in the files-json.log file where
> md5 matches a given list? if we enable file store and have a rule
> filestore; filemd5:badmd5s.txt, and we enable the json logging, it seems
> that it logs everything, including those files that are not in the md5
> list. we played with this a lot and could not get this to work. 

files-json.log is unconditional at this point. It will log what it sees.

> 3. when files-json.log is enabled and file store is turned off, it logs
> a lot of information but it appears that it misses some communications.
> I have been downloading a file from a website over and over again and it
> never showed up in the logs.

Can you reproduce this in a pcap? If so, can you share this pcap?

> 4. when doing md5 blacklisting, is there any way to figure out exactly
> what md5 triggered the alert? it seems it only says "[whatever we put in
> the message"] in the rule and if we have 100K md5s, it is kind of hard
> to figure out which one triggered it.

No, you will have to correlate the alert with your files-json log entry.

The alert formats we've been using so far are very inflexible, and
adding dynamic data to them wasn't possible.

In 2.0 we're introducing the json logging, there is will be easier to
add extra data. But that hasn't been implemented yet.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------