[Oisf-users] suricata 2.1beta3 md5 blacklist -> elk json filename or md5?
john nesh
john.nesh76 at gmail.com
Thu Feb 26 19:09:32 UTC 2015
Hi Peter,
Thank you! with "flow_id" I have found the right occurrency in the
file-transaction list!
Is there also any other possibility that I am missing?
Thank you so much for your help!
2015-02-26 20:00 GMT+01:00 Peter Manev <petermanev at gmail.com>:
> On Thu, Feb 26, 2015 at 7:46 PM, john nesh <john.nesh76 at gmail.com> wrote:
> > Hi,
> >
> > I want to know how to generate an alert from a md5 list.
> > I have generated some alert this way:
> > alert http any any -> any any (msg:"FILE MD5 Check EXE against a white
> > list"; filemagic:"exe"; filemd5:/etc/suricata/md5/md5.txt; sid:41;
> rev:1;)
> >
> > I have the alert but I can't see the md5 in the alert and/or filename
> and/or
> > the source.
> >
> > Is there any possibility to have this kind of view?
>
> You can consider matching on the "flow_id" if you are using eve.json
> (and have enabled MD5/magic logging enabled )
>
> >
> > John
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150226/9d099d4b/attachment-0002.html>
More information about the Oisf-users
mailing list