[Oisf-users] suricata 2.1beta3 md5 blacklist -> elk json filename or md5?

Peter Manev petermanev at gmail.com
Thu Feb 26 19:00:10 UTC 2015

On Thu, Feb 26, 2015 at 7:46 PM, john nesh <john.nesh76 at gmail.com> wrote:
> Hi,
> I want to know how to generate an alert from a md5 list.
> I have generated some alert this way:
> alert http any any -> any any (msg:"FILE MD5 Check EXE against a white
> list"; filemagic:"exe"; filemd5:/etc/suricata/md5/md5.txt; sid:41; rev:1;)
> I have the alert but I can't see the md5 in the alert and/or filename and/or
> the source.
> Is there any possibility to have this kind of view?

You can consider matching on the "flow_id" if you are using eve.json
(and have enabled MD5/magic logging enabled )

> John
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

Peter Manev

More information about the Oisf-users mailing list