[Oisf-users] Meaning of force-filestore option
Peter Manev
petermanev at gmail.com
Sat Jun 23 15:49:42 UTC 2018
On Sat, Jun 23, 2018 at 12:04 PM, Victor Julien <lists at inliniac.net> wrote:
> On 23-06-18 02:41, Darren S. wrote:
>> Suricata version 4.0.4 RELEASE
>>
>> outputs.13.file-store = (null)
>> outputs.13.file-store.enabled = yes
>> outputs.13.file-store.log-dir = files
>> outputs.13.file-store.force-magic = yes
>> outputs.13.file-store.force-md5 = yes
>> outputs.13.file-store.force-filestore = no
>>
>> I'd like to find out what is the meaning of the force-* options in
>> these types of settings - understanding that they force the given data
>> output, but not what that means by example.
>>
>> For example, would outputs.file-store.force-filestore result in Suri
>> storing all files regardless of any filestore rules active (as a
>> convenience factor)?
>
> Yes.
>
>> What cases do force-magic and force-md5 output those values where they
>> wouldn't normally be output when file-store.enabled = yes?
>
> Since md5 and magic are expensive operations they are normally only
> performed on-demand, for example if there are rules matching on those
> properties. The force-* options enable them unconditionally.
I sometimes find it very useful when running investigation on smaller pcaps.
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list