Suricata and HASH

[marianoka]

Hi pals!
Hope your are fine! I have a doubt. Is it posible to get a hash of the file that generates an alert, for example a trojan?
I have this alert
{"timestamp":"2021-08-13T17:31:37.825918+0000","flow_id":426317052484158,"in_iface":"bond0","event_type":"alert","src_ip":"192.168.233.180","src_port":49933,"dest_ip":"170.238.117.187","dest_port":445,"proto":"TCP","metadata":{"flowbits":["ET.Evil","ET.BotccIP"]},"community_id":"1:e9VxvNbD5Qjk64Gy4ZOyNqIn/54=","alert":{"action":"allowed","gid":1,"signature_id":2404307,"rev":6188,"signature":"ET CNC Feodo Tracker Reported CnC Server group 8","category":"A Network Trojan was detected","severity":1,"metadata":{"affected_product":["Windows_XP_Vista_7_8_10_Server_32_64_Bit"],"attack_target":["Client_Endpoint"],"created_at":["2014_11_04"],"deployment":["Perimeter"],"signature_severity":["Major"],"tag":["Banking_Trojan"],"updated_at":["2021_08_12"]},"rule":"alert ip $HOME_NET any ->

but none the hash or file name is reported.
Any idea?

[weslambert]

I believe it depends on if there was an associated file event from Suricata or within the flow. One way to look would be to walk from the community ID to other records and see if the information is available there.