1 files changed, 124 insertions, 0 deletions
diff --git a/doc/userguide/file-extraction/md5.rst b/doc/userguide/file-extraction/md5.rst
new file mode 100644
index 0000000..939463b
--- /dev/null
+++ b/doc/userguide/file-extraction/md5.rst
@@ -0,0 +1,124 @@
+.. _md5:
+
+Storing MD5s checksums
+======================
+
+Configuration
+~~~~~~~~~~~~~
+
+In the Suricata config file:
+
+::
+
+    - file-store:
+         enabled: yes       # set to yes to enable
+         dir: filestore     # directory to store the files
+         force-hash: [md5]  # force logging of md5 checksums
+
+
+For JSON output:
+
+::
+
+    outputs:
+      - eve-log:
+        enabled: yes
+        filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+        filename: eve.json
+        types:
+          - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            #force-hash: [md5]
+
+
+Other settings affecting :doc:`file-extraction`
+
+::
+
+  stream:
+    memcap: 64mb
+    checksum-validation: yes      # reject wrong csums
+    inline: no                    # no inline mode
+    reassembly:
+      memcap: 32mb
+      depth: 0                     # reassemble all of a stream
+      toserver-chunk-size: 2560
+      toclient-chunk-size: 2560
+
+Make sure we have *depth: 0* so all files can be tracked fully.
+
+
+::
+
+  libhtp:
+    default-config:
+      personality: IDS
+      # Can be specified in kb, mb, gb.  Just a number indicates
+      # it's in bytes.
+      request-body-limit: 0
+      response-body-limit: 0
+
+Make sure we have *request-body-limit: 0* and  *response-body-limit: 0*
+
+Testing
+~~~~~~~
+
+For the purpose of testing we use this rule only in a file.rules (a test/example file):
+
+
+::
+
+  alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
+
+This rule above will save all the file data for files that are opened/downloaded through HTTP
+
+Start Suricata (``-S`` option *ONLY loads* the specified rule file and disregards any other rules that are enabled in suricata.yaml):
+
+::
+
+  suricata -c /etc/suricata/suricata.yaml -S file.rules -i eth0
+
+
+Meta data:
+
+::
+
+  TIME:              05/01/2012-11:09:52.425751
+  SRC IP:            2.23.144.170
+  DST IP:            192.168.1.91
+  PROTO:             6
+  SRC PORT:          80
+  DST PORT:          51598
+  HTTP URI:          /en/US/prod/collateral/routers/ps5855/prod_brochure0900aecd8019dc1f.pdf
+  HTTP HOST:         www.cisco.com
+  HTTP REFERER:      http://www.cisco.com/c/en/us/products/routers/3800-series-integrated-services-routers-isr/index.html
+  FILENAME:          /en/US/prod/collateral/routers/ps5855/prod_brochure0900aecd8019dc1f.pdf
+  MAGIC:             PDF document, version 1.6
+  STATE:             CLOSED
+  MD5:               59eba188e52467adc11bf2442ee5bf57
+  SIZE:              9485123
+
+and in files-json.log (or eve.json) :
+
+
+::
+
+  { "id": 1, "timestamp": "05\/01\/2012-11:10:27.693583", "ipver": 4, "srcip": "2.23.144.170", "dstip": "192.168.1.91", "protocol": 6, "sp": 80, "dp": 51598, "http_uri": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "http_host": "www.cisco.com", "http_referer": "http:\/\/www.google.com\/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Frouters%2Fps5855%2Fprod_brochure0900aecd8019dc1f.pdf&ei=OqyfT9eoJubi4QTyiamhAw&usg=AFQjCNGdjDBpBDfQv2r3VogSH41V6T5x9Q", "filename": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "magic": "PDF document, version 1.6", "state": "CLOSED", "md5": "59eba188e52467adc11bf2442ee5bf57", "stored": true, "size": 9485123 }
+  { "id": 12, "timestamp": "05\/01\/2012-11:12:57.421420", "ipver": 4, "srcip": "2.23.144.170", "dstip": "192.168.1.91", "protocol": 6, "sp": 80, "dp": 51598, "http_uri": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "http_host": "www.cisco.com", "http_referer": "http:\/\/www.google.com\/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Frouters%2Fps5855%2Fprod_brochure0900aecd8019dc1f.pdf&ei=OqyfT9eoJubi4QTyiamhAw&usg=AFQjCNGdjDBpBDfQv2r3VogSH41V6T5x9Q", "filename": "\/en\/US\/prod\/collateral\/routers\/ps5855\/prod_brochure0900aecd8019dc1f.pdf", "magic": "PDF document, version 1.6", "state": "CLOSED", "md5": "59eba188e52467adc11bf2442ee5bf57", "stored": true, "size": 9485123 }
+
+
+Log all MD5s without any rules
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you would like to log MD5s for everything and anything that passes through the traffic that you are inspecting with Suricata, but not log the files themselves, all you have to do is disable file-store and enable only the JSON output with forced MD5s - in suricata.yaml like so:
+
+::
+
+  - file-store:
+      version: 2
+      enabled: no       # set to yes to enable
+      log-dir: files    # directory to store the files
+      force-filestore: no
+      force-hash: [md5]  # force logging of md5 checksums