No output module named file-store?

I’m trying to enable the file-store module, but Suricata is saying: [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named file-store. I’m using v6.0.1 compiled from source on Debian.

My config (under outputs):

  - file-store:
      version: 2
      enabled: yes
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For

How can I make sure I can use the file-store module?

Same problem here… The suricata output is contradictory (seems like a bug):
[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named file-store
ERRCODE: SC_WARN_ALERT_CONFIG(324)] - One or more rule(s) depends on the file-store output log which is not enabled. Enable the output “file-store”.


Actually, I fixed it. You need to install the nss-devel package before configuring and compiling.
On CentOS is “yum install nss-devel”
On debian is apt-get install nss-devel? I am not sure.

Now, one thing I still do not understand:
The files are stored under filestore/*/ when a rule with the command “filestore”; triggers.
But the eve.json record for that event says “stored”:false

I am not sure why, shouldn’t it say true?

I built it again with libnss support (and others) and file-store is now working, thanks!

Are your rules set to block file transfers? With alert rules eve.json showed "stored":true but the drop rules show "stored":false.

There is a similar report here Bug #3703: fileinfo "stored: false" even if the file is kept on disk - Suricata - Open Information Security Foundation

We’ll look at that one soon. If you have other test cases to share, please add them to the ticket.