Hello there, would you please take a look where the problems could be? Thanks.
The suricata version is 6.0.3.
i tried to enable the file-store in Suricata, expecting a PDF file stored in the folder ‘filestore’ , but got a lot of empty sub-folders like follows:
My suricata settings are as below:
The pcap file is:
pdf_http_467659.pcap (12.3 KB)
The directories with 2-character names are intentional.
If you want to locate the files, get the SHA from the log entry in eve.json, the first 2 characters of the SHA will indicate which directory contains the extracted file.
Or, you can use find
cd /path/to/where/files/are/extracted
find . -type f
But the file is not present in any of the sub directory. I searched for it. I don’t know the file-store keyword is not configured successfully or what is the problem because when i checked it, in suricata.log file there is no error present in it. But when i download any file from internet and searched for it in /var/log/suricata/filestore/ respected sub-directory present in it on the basis of its sha256 value i didn’t find any file there.
Thanks in advance.
Hello!
Your filestore settings seem right to me. I don’t have special stream settings so not sure of those. But, with those filestore settings and default stream settings, I’m able to see the file being correctly downloaded and stored. Please note that I tested this on latest Suricata, 6.0.3 is way too old to support for us. So, perhaps you could try and update to the recent released version? There could be bugs/settings issues in 6.0.3 which would be fixed by now.
Mam, I am using suricata 7 and also tried same in suricata 6.But it didn’t work.
Please help me to resolve this issue.
Thanks in advance.
Can you post the entire suricata.yaml configuration file and a pcap so we can re-verify things?
suricata.yaml (69.5 KB)
Here in this suricata.yaml file i configure file-store option and then i start download a pdf file (Not a specific pdf) from the internet and watch the log in eve.json file and got it’s sha256 value and then go to the directory /var/log/suricata/filestore/ where all the sub-directories are present and go into the directory which is same with the first 2 letters of the sha256 value of that pdf file.
Also i created a custom rule in suricata to generate alert message when any pdf file comes into the network but there is no alert is generated.
Custom Signature Rule is: alert http any any → any any (msg:“FILEMAGIC pdf”; flow:established,to_server; filemagic:“PDF document”; filestore; sid:900001; rev:1;)
Thanks in advance!!
Prateek Sharma
Hi Prateek,
Thanks for posting your suricata.yaml file with the filestore values enabled.
I was unable to reproduce the same results. Both 6.0.13 and 7.0.0rc2 produced extracted files with my pcap files (sorry, I can’t share these).
I used your configuration file and the custom signature rule that you posted.
The extracted file location in your config file is /var/log/suricata/filestore — I’m presuming you have adequate permissions to create and write to that directory?
Yes sir, i have all the required permissions to create and write to that directory.
Sir please provide me solution how to use filestore keyword in suricata as per my requirement.?
Thanks in advance
Hi!
I tried this feature of file storing on suricata-7.0.1 with the same result as Xifeng Liu and Prateek - no file is presented in any of subdirectories. I am attaching the suricata.yaml, pcaps and rules. I ran suricata as “sudo src/suricata -c suricata.yaml -r HTTP.pcap -l ./log/” (or -r pdf_http_467659.pcap). Please do you have any piece of advice how to troubleshoot this?
Thank you!
all-suricata.rules (287 Bytes)
pdf_http_467659.pcap (12.3 KB)
suricata.yaml (83.0 KB)
Hi!
Welcome to our forum! 
What’s your default log directory? You can do suricata --build-info | grep "Log directory". Once you do, could you please check if you have a filestore dir in there?
Hi!
Thank you very much for your reply. Everything seems to work now, I have just overlooked something.
I have another question - does the “filestore” have to be empty? If I run suricata set to export files to “filestore”, then it stops and then I run (a new instance of) suricata, do I have to clean the “filestore” directory before the second call of suricata?
When I tried running a new instance of suricata with the “filestore” containing exports from a previous run, no new files were added by the new instance. Is this behavior on purpose?
No it does not have to be empty.
New files would still be added as long as they’re actually new and don’t match already present files.