Captrued files not showing in the gui
-
Im trying to figure out why the files captured by suricata are not viewable in the gui but I can see the files in the command prompt. Anyone ever see this happen?
-
I do not see a Suricata interface selected in the Instance to View drop-down. Is that an anomaly in the screen capture, or did you not select a Suricata instance (interface) to view that has EVE JSON logging and the other listed requirements enabled?
-
@bmeeks it’s just hidden
-
@ogbonet said in Captrued files not showing in the gui:
@bmeeks it’s just hidden
Why hide that? It's just an interface name.
The entire section of code around file capture was written and submitted by a former Netgate contractor who was also a Suricata user at home. So, I'm not terribly familiar with how it all operates. I do know that the storage location will be tied to the interface name and UUID, and if either of those changes due to reconfiguring Suricata or adding/removing a pfSense interface, then the GUI could lose track of where the files are stored.
-
@bmeeks
Just because theyre named specificallyIm not finding any folders with the uuid attached but i see a bunch of folders like this with files from different dates. Have you seen where this can be reset or would you say Im stuck like this unless I do a rebuild?
-
The UUID I was referring to is for the top-level log directory for a given instance. On pfSense, the package uses the physical interface name along with a UUID to create directory paths unique for each configured Suricata instance. So, under
/var/log/suricata/
you will see a different unique sub-directory for each configured Suricata interface. Within a given instance's log directory you will find additional sub-directories for various optional logging. One of those is captured/extracted files.Suricata itself, when configured to capture files, will create its own unique sequence of sub-directories under the file capture logging sub-directory based on hash values. The following section of italics text is copied verbatim from the Suricata docs:
The file-store module uses its own log directory (default: filestore in the default logging directory) and logs files using the SHA256 of the contents as the filename. Each file is then placed in a directory named 00 to ff where the directory shares the first 2 characters of the filename. For example, if the SHA256 hex string of an extracted file starts with "f9bc6d..." the file will be placed in the directory filestore/f9.
Here is the link to the file extraction documentation for Suricata: https://docs.suricata.io/en/suricata-7.0.4/file-extraction/file-extraction.html.