This plugin takes advantage of the file engine inside suricata. It will create a siem event when it sees a pdf or windows exe file downloaded. Most of the time it will include the MD5 so you can look it up.
You will need to modify /etc/suricata/suricata.yaml. The config is included in the plugin cfg file
Updates will likely overwrite your changes to the yaml config
The log file for this plugin: /var/log/suricata/files-json.log can get HUGE on a large network. Be sure it is in logrotate.
Be sure the plugin id I use does not interfere with one you already have