Captrued files not showing in the gui

ogbonet · Apr 25, 2024, 7:50 PM

Im trying to figure out why the files captured by suricata are not viewable in the gui but I can see the files in the command prompt. Anyone ever see this happen?

bmeeks · Apr 26, 2024, 3:07 AM

I do not see a Suricata interface selected in the Instance to View drop-down. Is that an anomaly in the screen capture, or did you not select a Suricata instance (interface) to view that has EVE JSON logging and the other listed requirements enabled?

ogbonet · Apr 26, 2024, 3:07 AM

@bmeeks it’s just hidden

bmeeks · Apr 26, 2024, 1:21 PM

@ogbonet said in Captrued files not showing in the gui:

@bmeeks it’s just hidden

Why hide that? It's just an interface name.

The entire section of code around file capture was written and submitted by a former Netgate contractor who was also a Suricata user at home. So, I'm not terribly familiar with how it all operates. I do know that the storage location will be tied to the interface name and UUID, and if either of those changes due to reconfiguring Suricata or adding/removing a pfSense interface, then the GUI could lose track of where the files are stored.

ogbonet · Apr 26, 2024, 1:59 PM

@bmeeks
Just because theyre named specifically

Im not finding any folders with the uuid attached but i see a bunch of folders like this with files from different dates. Have you seen where this can be reset or would you say Im stuck like this unless I do a rebuild?

bmeeks · Apr 26, 2024, 5:03 PM

The UUID I was referring to is for the top-level log directory for a given instance. On pfSense, the package uses the physical interface name along with a UUID to create directory paths unique for each configured Suricata instance. So, under /var/log/suricata/ you will see a different unique sub-directory for each configured Suricata interface. Within a given instance's log directory you will find additional sub-directories for various optional logging. One of those is captured/extracted files.

Suricata itself, when configured to capture files, will create its own unique sequence of sub-directories under the file capture logging sub-directory based on hash values. The following section of italics text is copied verbatim from the Suricata docs:

The file-store module uses its own log directory (default: filestore in the default logging directory) and logs files using the SHA256 of the contents as the filename. Each file is then placed in a directory named 00 to ff where the directory shares the first 2 characters of the filename. For example, if the SHA256 hex string of an extracted file starts with "f9bc6d..." the file will be placed in the directory filestore/f9.

Here is the link to the file extraction documentation for Suricata: https://docs.suricata.io/en/suricata-7.0.4/file-extraction/file-extraction.html.