[Oisf-users] Meaning of force-filestore option
Victor Julien
lists at inliniac.net
Sat Jun 23 09:04:23 UTC 2018
On 23-06-18 02:41, Darren S. wrote:
> Suricata version 4.0.4 RELEASE
>
> outputs.13.file-store = (null)
> outputs.13.file-store.enabled = yes
> outputs.13.file-store.log-dir = files
> outputs.13.file-store.force-magic = yes
> outputs.13.file-store.force-md5 = yes
> outputs.13.file-store.force-filestore = no
>
> I'd like to find out what is the meaning of the force-* options in
> these types of settings - understanding that they force the given data
> output, but not what that means by example.
>
> For example, would outputs.file-store.force-filestore result in Suri
> storing all files regardless of any filestore rules active (as a
> convenience factor)?
Yes.
> What cases do force-magic and force-md5 output those values where they
> wouldn't normally be output when file-store.enabled = yes?
Since md5 and magic are expensive operations they are normally only
performed on-demand, for example if there are rules matching on those
properties. The force-* options enable them unconditionally.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list