Suricata Error on running SC_ERR_NO_MD5_SUPPORT

Question

I’m using Suricata 4.0.4, I want to check md5 of files with this rule:

alert http any any -> any any (msg:"FILE MD5 Check against Malware Patrol blacklist"; filemd5: /root/2018.md5.txt; sid:10203040; rev:1;)

but after running suricata, it says:

<Error> - [ERRCODE: SC_ERR_NO_MD5_SUPPORT(209)] - no MD5 calculation support built in, needed for filemd5 keyword

Any suggestions?

Answer 1

For me on CentOS 7.5 helped these steps:

1. Install packages (for CentOS was 'yum install ...'):

   • nss-util
   • nss-util-devel
   • nss-devel
   • nspr-devel
   • nspr

2. Reconfig and reinstall the Suricata whit those libs:

   • ./configure --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr
   • make clean
   • make
   • sudo make install-full

3. Start Suricata: /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0

Also be aware not to forget keyword "filestore;" in your rule - without it alerts may not be catched!

Example: alert http any any -> any any (msg:"FILE MD5 Check against Malware Patrol blacklist"; filemd5: /root/2018.md5.txt; filestore; sid:10203040; rev:1;)