.. _md5: 存储MD5校验值 ============= 配置 ~~~~ 在Suricata配置文件中: :: - file-store: enabled: yes # 设置为yes启用 dir: filestore # 存储文件的目录 force-hash: [md5] # 强制记录md5校验值 对于JSON输出: :: outputs: - eve-log: enabled: yes filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json types: - files: force-magic: no # 强制记录所有已记录文件的magic值 # 强制记录校验值,可用的哈希函数包括md5、 # sha1和sha256 #force-hash: [md5] 影响:doc:`file-extraction`的其他设置: :: stream: memcap: 64mb checksum-validation: yes # 拒绝错误的校验和 inline: no # 非内联模式 reassembly: memcap: 32mb depth: 0 # 重组整个流 toserver-chunk-size: 2560 toclient-chunk-size: 2560 确保设置*depth: 0*以便完整跟踪所有文件。 :: libhtp: default-config: personality: IDS # 可用kb、mb、gb指定。仅数字表示单位为字节 request-body-limit: 0 response-body-limit: 0 确保设置*request-body-limit: 0*和*response-body-limit: 0* 测试 ~~~~ 为测试目的,我们仅在file.rules(测试/示例文件)中使用以下规则: :: alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;) 上述规则将保存通过HTTP打开/下载的所有文件数据 启动Suricata(``-S``选项*仅加载*指定的规则文件,忽略suricata.yaml中启用的其他规则): :: suricata -c /etc/suricata/suricata.yaml -S file.rules -i eth0 元数据: :: TIME: 05/01/2012-11:09:52.425751 SRC IP: 2.23.144.170 DST IP: 192.168.1.91 PROTO: 6 SRC PORT: 80 DST PORT: 51598 HTTP URI: /en/US/prod/collateral/routers/ps5855/prod_brochure0900aecd8019dc1f.pdf HTTP HOST: www.cisco.com HTTP REFERER: http://www.cisco.com/c/en/us/products/routers/3800-series-integrated-services-routers-isr/index.html FILENAME: /en/US/prod/collateral/routers/ps5855/prod_brochure0900aecd8019dc1f.pdf MAGIC: PDF document, version 1.6 STATE: CLOSED MD5: 59eba188e52467adc11bf2442ee5bf57 SIZE: 9485123 以及在files-json.log(或eve.json)中: :: { "id": 1, "timestamp": "05\/01\/2012-11:10:27.693583", "ipver": 4, "srcip": "2.23.144.170", "dstip": "192.168.1.91", "protocol": 6, "sp": 80, "dp": 51598, "http_uri": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "http_host": "www.cisco.com", "http_referer": "http:\/\/www.google.com\/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Frouters%2Fps5855%2Fprod_brochure0900aecd8019dc1f.pdf&ei=OqyfT9eoJubi4QTyiamhAw&usg=AFQjCNGdjDBpBDfQv2r3VogSH41V6T5x9Q", "filename": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "magic": "PDF document, version 1.6", "state": "CLOSED", "md5": "59eba188e52467adc11bf2442ee5bf57", "stored": true, "size": 9485123 } { "id": 12, "timestamp": "05\/01\/2012-11:12:57.421420", "ipver": 4, "srcip": "2.23.144.170", "dstip": "192.168.1.91", "protocol": 6, "sp": 80, "dp": 51598, "http_uri": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "http_host": "www.cisco.com", "http_referer": "http:\/\/www.google.com\/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Frouters%2Fps5855%2Fprod_brochure0900aecd8019dc1f.pdf&ei=OqyfT9eoJubi4QTyiamhAw&usg=AFQjCNGdjDBpBDfQv2r3VogSH41V6T5x9Q", "filename": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "magic": "PDF document, version 1.6", "state": "CLOSED", "md5": "59eba188e52467adc11bf2442ee5bf57", "stored": true, "size": 9485123 } 无规则记录所有MD5值 ~~~~~~~~~~~~~~~~~~~~ 如果您希望记录通过Suricata检测流量中的所有内容的MD5值,但不记录文件本身,只需禁用file-store并仅启用强制MD5的JSON输出 - 在suricata.yaml中如下设置: :: - file-store: version: 2 enabled: no # 设置为yes启用 log-dir: files # 存储文件的目录 force-filestore: no force-hash: [md5] # 强制记录md5校验值