[Oisf-users] trying to get file logging working on 2.0.4
Russell Fulton
r.fulton at auckland.ac.nz
Fri Jan 16 03:46:42 UTC 2015
I worked with Peter on this and then got interrupted by holiday and finally got back to it today.
It turns out to be a problem with the yaml:
this works:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
waldo: file.waldo # waldo file to store the file_id across runs
this fails silently:
- file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
waldo: file.waldo # waldo file to store the file_id across runs
two ways to help diagnose these config issues:
1/ look at the log messages — just about every config option puts somthing in the log — there was nothing for file-store
2/ use —dump-config and make sure every item in the yaml file is listed.
The real bummer here is that the failure is silent
Thanks very much to Peter who suggested that it might be an issue with the yaml and pointed me to dump config flag.
Russell
> On 19/12/2014, at 12:47 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
> On 19/12/2014, at 12:34 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
>>
>> On 15/12/2014, at 10:28 pm, Peter Manev <petermanev at gmail.com> wrote:
>>>
>>> Can you please try (if you haven't) -
>>> checksum-validation: no
>>> in the suricata.yaml.
>>
>> Was set to no
>>
>>>
>>> also i would try just that -
>>> alert http any any -> any any (msg:"FILE magic -- windows";
>>> filemagic:"executable"; filestore; sid:18; rev:1;)
>>> just to simplify and confirm that files are getting logged.
>>
>> done.
>>
>>>
>>> What is your starting line for Suricata - it might be a dir
>>> permissions issue if you are running with dropping privileges but the
>>> file dir is owned by root(or another user)?
>>
>> sensors 32664 203 3.7 2673684 1849120 ? Ssl 12:00 1:50 /usr/bin/suricata -D -c /home/sensors/dmzo/conf/suricata.conf --af-packet --pid /home/sensors/dmzo/run/suricata.pid
>>
>> sensors at secmonprd01:~$ ls -ld data/dmzo/files
>> drwxrwxr-x 2 sensors sensors 4096 Dec 19 12:05 data/dmzo/files
>>
>> which seems kosher.
>>
>> removing run_as: section so we don’t drop privs — still not seeing files being logged.
>>
>
> one more data point.
>
> I looked in the fast.log and the rule is firing — so it is an issue with storing the files….
>
> Added full path to file-store:log-dir and still no joy
>
> will have a play with eve
>
>> Russell
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list