I’m trying to enable the file-store module, but Suricata is saying: [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named file-store. I’m using v6.0.1 compiled from source on Debian.
My config (under outputs):
- file-store:
version: 2
enabled: yes
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
How can I make sure I can use the file-store module?
Thanks.
Same problem here… The suricata output is contradictory (seems like a bug):
[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named file-store
ERRCODE: SC_WARN_ALERT_CONFIG(324)] - One or more rule(s) depends on the file-store output log which is not enabled. Enable the output “file-store”.
Help…
Actually, I fixed it. You need to install the nss-devel package before configuring and compiling.
On CentOS is “yum install nss-devel”
On debian is apt-get install nss-devel? I am not sure.
Now, one thing I still do not understand:
The files are stored under filestore/*/ when a rule with the command “filestore”; triggers.
But the eve.json record for that event says “stored”:false
I am not sure why, shouldn’t it say true?
I built it again with libnss support (and others) and file-store is now working, thanks!
Are your rules set to block file transfers? With alert rules eve.json showed "stored":true but the drop rules show "stored":false.
There is a similar report here Bug #3703: fileinfo "stored: false" even if the file is kept on disk - Suricata - Open Information Security Foundation
We’ll look at that one soon. If you have other test cases to share, please add them to the ticket.