0

我正在使用 Suricata 4.0.4,我想使用以下规则检查文件的 md5:

alert http any any -> any any (msg:"FILE MD5 Check against Malware Patrol blacklist"; filemd5: /root/2018.md5.txt; sid:10203040; rev:1;)

但在运行 suricata 之后,它说:

<Error> - [ERRCODE: SC_ERR_NO_MD5_SUPPORT(209)] - no MD5 calculation support built in, needed for filemd5 keyword

有什么建议么?

4

1 回答 1

0

对 CentOS 7.5 上的我来说,这些步骤帮助了我:

  1. 安装软件包(对于 CentOS 是 'yum install ...'):

    • nss-util
    • nss-util-devel
    • nss-devel
    • nspr-devel
    • nspr

  2. 使用这些库重新配置并重新安装 Suricata:

    • ./configure --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr
    • make clean
    • make
    • sudo make install-full

  3. 启动 Suricata:/usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0

还要注意不要忘记规则中的关键字“ filestore; ” - 没有它,可能无法捕获警报!

例子:alert http any any -> any any (msg:"FILE MD5 Check against Malware Patrol blacklist"; filemd5: /root/2018.md5.txt; filestore; sid:10203040; rev:1;)

于 2019-04-22T07:39:28.213 回答