I’m trying to enable the file-store module, but Suricata is saying: [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named file-store. I’m using v6.0.1 compiled from source on Debian.
Same problem here… The suricata output is contradictory (seems like a bug):
[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named file-store
ERRCODE: SC_WARN_ALERT_CONFIG(324)] - One or more rule(s) depends on the file-store output log which is not enabled. Enable the output “file-store”.
Actually, I fixed it. You need to install the nss-devel package before configuring and compiling.
On CentOS is “yum install nss-devel”
On debian is apt-get install nss-devel? I am not sure.
Now, one thing I still do not understand:
The files are stored under filestore/*/ when a rule with the command “filestore”; triggers.
But the eve.json record for that event says “stored”:false