Bug #449

on-the-fly md5 checksum calculation doesn't work on Daemon mode

Added by Bâkır EMRE about 2 years ago. Updated almost 2 years ago.

Status:ClosedStart date:04/12/2012
Priority:NormalDue date:
Assignee:Victor Julien% Done:

0%

Category:-
Target version:1.3beta2

Description

I use suricata for file extraction on FreeBSD 9.0. Suricata is not calculate md5 checksum value on daemon mode.

Rule file contain just a rule

alert http any any -> any any (msg:"FILE store all"; filestore; sid:10001; rev:1;)

./src/suricata --build-info
[100351] 10/4/2012 -- 15:16:35 - (suricata.c:502) <Info>
(SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev fbe0206)
[100351] 10/4/2012 -- 15:16:35 - (suricata.c:575) <Info>
(SCPrintBuildInfo) -- Features: UNITTESTS IPFW PCAP_SET_BUFF
LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1
HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
PCRE_JIT HAVE_NSS PROFILING

if suricata starts with "-D" option or starts with system startup script /usr/local/etc/rc.d/suricata start
all files extracted. But md5 checksum value not showing in "files-json" file

in daemon mode

{ "id": 159, "timestamp": "04\/10\/2012-15:31:36.503376", "ipver": 4,
"srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
"sp": 80, "dp": 4175, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
"www.google.com", "http_referer": "http:\/\/www.google.com\/",
"filename": "\/imghp", "magic": "HTML document text", "state":
"CLOSED", "stored": true, "size": 16661 }

without "-D" parameters works perfectly

{ "id": 139, "timestamp": "04\/10\/2012-15:33:44.082060", "ipver": 4,
"srcip": "173.194.35.177", "dstip": "192.168.2.3", "protocol": 6,
"sp": 80, "dp": 4178, "http_uri": "\/imghp?hl=en&tab=wi", "http_host":
"www.google.com", "http_referer": "http:\/\/www.google.com\/",
"filename": "\/imghp", "magic": "HTML document text", "state":
"CLOSED", "md5": "6798f92133ba3d3a0aabdf50050ae48a", "stored": true,
"size": 16665 }

History

#1 Updated by Victor Julien almost 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Peter Manev

Peter, can you try to reproduce this issue on Linux first, if that fails on FreeBSD 9?

#2 Updated by Peter Manev almost 2 years ago

I can confirm the same issue on ubuntu.
no MD5s, but everything else is fine.

#3 Updated by Victor Julien almost 2 years ago

  • Assignee changed from Peter Manev to Victor Julien
  • Target version set to 1.3beta2

Thanks Peter, I'll have a look.

#4 Updated by Victor Julien almost 2 years ago

  • Status changed from Assigned to Closed

Fixed in the git master.

Also available in: Atom PDF