[Oisf-users] Questions about MD5 hashes and FileStore

Peter Manev petermanev at gmail.com
Thu Mar 6 12:54:09 UTC 2014 

On Thu, Mar 6, 2014 at 1:43 PM, Victor Julien <lists at inliniac.net> wrote:
> On 03/06/2014 01:26 PM, Adnan Baykal wrote:
>> Just recently, I started playing with the file extraction and MD5
>> logging features and had couple questions.
>>
>> 1. is it possible to only log those transactions in the files-json.log
>> where the stream contains a windows executable? (without actually
>> storing the file)
>>
>> 2. is it possible to log those entries in the files-json.log file where
>> md5 matches a given list? if we enable file store and have a rule
>> filestore; filemd5:badmd5s.txt, and we enable the json logging, it seems
>> that it logs everything, including those files that are not in the md5
>> list. we played with this a lot and could not get this to work.
>
> files-json.log is unconditional at this point. It will log what it sees.
>
>> 3. when files-json.log is enabled and file store is turned off, it logs
>> a lot of information but it appears that it misses some communications.
>> I have been downloading a file from a website over and over again and it
>> never showed up in the logs.
>
> Can you reproduce this in a pcap? If so, can you share this pcap?

It could also be related to offloading - example:
ethtool -k eth1
The output will show if offloading is enabled/disabled. Make sure all
values are set to "off".

>
>> 4. when doing md5 blacklisting, is there any way to figure out exactly
>> what md5 triggered the alert? it seems it only says "[whatever we put in
>> the message"] in the rule and if we have 100K md5s, it is kind of hard
>> to figure out which one triggered it.
>
> No, you will have to correlate the alert with your files-json log entry.
>
> The alert formats we've been using so far are very inflexible, and
> adding dynamic data to them wasn't possible.
>
> In 2.0 we're introducing the json logging, there is will be easier to
> add extra data. But that hasn't been implemented yet.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list