我正在使用Suricata 4.0.4, 我要使用以下规则检查文件的md5:
alert http any any -> any any (msg:"FILE MD5 Check against Malware Patrol blacklist"; filemd5: /root/2018.md5.txt; sid:10203040; rev:1;)
但是运行suricata之后,它说:
<Error> - [ERRCODE: SC_ERR_NO_MD5_SUPPORT(209)] - no MD5 calculation support built in, needed for filemd5 keyword
有什么建议吗?
答案 0 :(得分:0)
对我来说,在CentOS 7.5上完成了以下步骤:
安装软件包(对于CentOS是'yum install ...'):
nss-util nss-util-devel nss-devel nspr-devel nspr 重新配置并重新安装带有这些库的Suricata:
./configure --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr make clean make sudo make install-full 启动Suricata:/usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0
还请注意不要忘记规则中的关键字“ 文件存储; ”-如果没有,则可能不会捕获警报!
示例:alert http any any -> any any (msg:"FILE MD5 Check against Malware Patrol blacklist"; filemd5: /root/2018.md5.txt; filestore; sid:10203040; rev:1;)