From: Jason Ish Date: Fri, 15 May 2020 17:28:49 +0000 (-0600) Subject: doc: document file-store v1 to v2 configuration changes X-Git-Tag: suricata-6.0.0-beta1~410 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b8320d1c066d9ac19c3721be9db348204712000;p=thirdparty%2Fsuricata.git doc: document file-store v1 to v2 configuration changes --- diff --git a/doc/userguide/file-extraction/config-update.rst b/doc/userguide/file-extraction/config-update.rst index 1562ac86ec..5c3c180789 100644 --- a/doc/userguide/file-extraction/config-update.rst +++ b/doc/userguide/file-extraction/config-update.rst @@ -1,3 +1,5 @@ +.. _filestore-update-v1-to-v2: + Update File-store v1 Configuration to V2 ======================================== diff --git a/doc/userguide/file-extraction/file-extraction.rst b/doc/userguide/file-extraction/file-extraction.rst index 45fd4e93ed..6c4a18b5bb 100644 --- a/doc/userguide/file-extraction/file-extraction.rst +++ b/doc/userguide/file-extraction/file-extraction.rst @@ -1,3 +1,5 @@ +.. _File Extraction: + File Extraction =============== @@ -66,7 +68,6 @@ of the filename. For example, if the SHA256 hex string of an extracted file starts with "f9bc6d..." the file we be placed in the directory `filestore/f9`. - The size of a file that can be stored depends on ``file-store.stream-depth``, if this value is reached a file can be truncated and might not be stored completely. If not enabled, ``stream.reassembly.depth`` will be considered. @@ -103,30 +104,7 @@ logged to the ``eve`` output. See :ref:`suricata-yaml-file-store` for more information on configuring the file-store output. -.. note:: This section documents version 2 of the ``file-store``. - -File-Store (Version 1) ----------------------- - -.. note:: File-store version 1 has been deprecated and will be removed - by June 2020. Please use file-store v2 instead. Please see - the `deprecation policy`_ for more information. - -:: - - - file-store: - enabled: yes # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-hash: [md5] # force logging of md5 checksums - force-filestore: no # force storing of all files - stream-depth: 1mb # reassemble 1mb into a stream, set to no to disable - waldo: file.waldo # waldo file to store the file_id across runs - max-open-files: 0 # how many files to keep open (O means none) - write-meta: yes # write a .meta file if set to yes - include-pid: yes # include the pid in filenames if set to yes. - -Each file that is stored will have a name "file.". The id will be reset and files will be overwritten unless the waldo option is used. A "file..meta" file is generated containing file metadata if write-meta is set to yes (default). If the include-pid option is set, the files will instead have a name "file..", and metafiles will be "file...meta". Files will additionally have the suffix ".tmp" while they are open, which is only removed when they are finalized. +.. note:: This section documents version 2 of the ``file-store``. Version 1 of the file-store has been removed as of Suricata version 6. Rules ~~~~~ @@ -195,4 +173,9 @@ Suricata can calculate MD5 checksums of files on the fly and log them. See :doc: md5 public-sha1-md5-data-sets -.. _deprecation policy: https://suricata-ids.org/about/deprecation-policy/ +Updating Filestore Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. toctree:: + + config-update diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index c2031afbf0..da47fced17 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -30,6 +30,12 @@ by the ones Suricata supplies. Major updates include new features, new default settings and often also remove features. +Upgrading 5.0 to 6.0 +-------------------- + +Removals +~~~~~~~~ +- File-store v1 has been removed. If using file extraction, the file-store configuration will need to be updated to version 2. See :ref:`filestore-update-v1-to-v2`. Upgrading 4.1 to 5.0 --------------------