.. _md5:
21.4.1. 存储MD5校验值¶
21.4.1.1. 配置¶
在Suricata配置文件中:
- file-store:
enabled: yes # 设置为yes启用
dir: filestore # 存储文件的目录
force-hash: [md5] # 强制记录md5校验值
对于JSON输出:
outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
types:
- files:
force-magic: no # 强制记录所有已记录文件的magic值
# 强制记录校验值,可用的哈希函数包括md5、
# sha1和sha256
#force-hash: [md5]
影响:doc:`file-extraction`的其他设置:
stream:
memcap: 64mb
checksum-validation: yes # 拒绝错误的校验和
inline: no # 非内联模式
reassembly:
memcap: 32mb
depth: 0 # 重组整个流
toserver-chunk-size: 2560
toclient-chunk-size: 2560
确保设置*depth: 0*以便完整跟踪所有文件。
libhtp:
default-config:
personality: IDS
# 可用kb、mb、gb指定。仅数字表示单位为字节
request-body-limit: 0
response-body-limit: 0
确保设置*request-body-limit: 0*和*response-body-limit: 0*
21.4.1.2. 测试¶
为测试目的,我们仅在file.rules(测试/示例文件)中使用以下规则:
alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
上述规则将保存通过HTTP打开/下载的所有文件数据
启动Suricata(``-S``选项*仅加载*指定的规则文件,忽略suricata.yaml中启用的其他规则):
suricata -c /etc/suricata/suricata.yaml -S file.rules -i eth0
元数据:
TIME: 05/01/2012-11:09:52.425751
SRC IP: 2.23.144.170
DST IP: 192.168.1.91
PROTO: 6
SRC PORT: 80
DST PORT: 51598
HTTP URI: /en/US/prod/collateral/routers/ps5855/prod_brochure0900aecd8019dc1f.pdf
HTTP HOST: www.cisco.com
HTTP REFERER: http://www.cisco.com/c/en/us/products/routers/3800-series-integrated-services-routers-isr/index.html
FILENAME: /en/US/prod/collateral/routers/ps5855/prod_brochure0900aecd8019dc1f.pdf
MAGIC: PDF document, version 1.6
STATE: CLOSED
MD5: 59eba188e52467adc11bf2442ee5bf57
SIZE: 9485123
以及在files-json.log(或eve.json)中:
{ "id": 1, "timestamp": "05\/01\/2012-11:10:27.693583", "ipver": 4, "srcip": "2.23.144.170", "dstip": "192.168.1.91", "protocol": 6, "sp": 80, "dp": 51598, "http_uri": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "http_host": "www.cisco.com", "http_referer": "http:\/\/www.google.com\/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Frouters%2Fps5855%2Fprod_brochure0900aecd8019dc1f.pdf&ei=OqyfT9eoJubi4QTyiamhAw&usg=AFQjCNGdjDBpBDfQv2r3VogSH41V6T5x9Q", "filename": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "magic": "PDF document, version 1.6", "state": "CLOSED", "md5": "59eba188e52467adc11bf2442ee5bf57", "stored": true, "size": 9485123 }
{ "id": 12, "timestamp": "05\/01\/2012-11:12:57.421420", "ipver": 4, "srcip": "2.23.144.170", "dstip": "192.168.1.91", "protocol": 6, "sp": 80, "dp": 51598, "http_uri": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "http_host": "www.cisco.com", "http_referer": "http:\/\/www.google.com\/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Frouters%2Fps5855%2Fprod_brochure0900aecd8019dc1f.pdf&ei=OqyfT9eoJubi4QTyiamhAw&usg=AFQjCNGdjDBpBDfQv2r3VogSH41V6T5x9Q", "filename": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "magic": "PDF document, version 1.6", "state": "CLOSED", "md5": "59eba188e52467adc11bf2442ee5bf57", "stored": true, "size": 9485123 }
21.4.1.3. 无规则记录所有MD5值¶
如果您希望记录通过Suricata检测流量中的所有内容的MD5值,但不记录文件本身,只需禁用file-store并仅启用强制MD5的JSON输出 - 在suricata.yaml中如下设置:
- file-store:
version: 2
enabled: no # 设置为yes启用
log-dir: files # 存储文件的目录
force-filestore: no
force-hash: [md5] # 强制记录md5校验值