Suricata Hash Matching

johncena

Hello, I would like to open this topic because I have a problem with hashes. I am trying to find a way to identity hashes of the file(md5/sha256) based on a list. After few days of configuration and so on everything is fine. The problem is i get as Response and I get the hash TRUNCATED. The rules are in /etc/suricata/rules and the hashes list are in /etc/suricata/rules

alert http any any -> any any (msg:"FILE EXE Detected"; filesha256:sha256filename.list; filestore; sid:6; rev:6;)
alert http any any -> any any (msg:"FILE EXE Detected"; filemagic:"exe"; filemd5:filename; filestore; fileext:"exe"; sid:5; rev:5;)

bmeeks

I bet you need to relocate your hash files to the sub-directory underneath /etc/local/suricata where the interface is configured.

On pfSense the configuration for each Suricata interface is stored in a unique sub-directory under /usr/local/etc/suricata and NOT in /etc/suricata like the upstream documentation might state. Look under /usr/local/etc/suricata on your firewall and you will see one or more sub-directories (one for each configured interface). The sub-directory will have a unique name that included the physical NIC driver name and a UUID (random number). Put your file hashes for in that sub-directory and then restart Suricata on the interface.

johncena

Hello, I dont have any directory in /usr/local/etc/suricata. I have only in /var/lib/suricata/rules.

The only way the file can be read without errorr is in /etc/suricata/rules. I moved the hash list in /var/lib/suricata/rules and I get now the error.

[ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening hash file /etc/suricata/rules/md5.list: No such file or directory.

I mean strange i have some automated task for a web application and i get results like that but i didnt even load a hash!! but if i want to load a hash for a specific file i get Truncated

bmeeks

@johncena said in Suricata Hash Matching:

Hello, I dont have any directory in /usr/local/etc/suricata. I have only in /var/lib/suricata/rules.

The only way the file can be read without errorr is in /etc/suricata/rules. I moved the hash list in /var/lib/suricata/rules and I get now the error.

[ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening hash file /etc/suricata/rules/md5.list: No such file or directory.

I mean strange i have some automated task for a web application and i get results like that but i didnt even load a hash!! but if i want to load a hash for a specific file i get Truncated

Are you running the Suricata package on pfSense? If so, then there is no way possible not to have a /usr/local/etc/suricata directory with additional sub-directories underneath for each configured Suricata interface. That is just intrinsically how the GUI package and binary work on pfSense.

And there absolutely is not a var/lib/suricata/rules directory on pfSense. So I'm wondering if you are either using the bare Suricata CLI package from FreeBSD ports on some other platform besides pfSense, or you have a severely customized CLI setup on pfSense. Your description of directory names is not at all consistent with the installation of the Suricata GUI and binary packages on pfSense.

This forum is only for questions regarding the installation and use of Suricata on pfSense.

bmeeks

OP responded via other means that he was running Suricata on CentOS 7, so this thread is not applicable to pfSense.