[Oisf-devel] filemd5?

Martin Holste mcholste at gmail.com
Thu Feb 16 14:58:42 UTC 2012 

Very cool, at least for big shops.  Sadly, MD5's are getting less and
less valuable for malicious files, but it would help to whitelist
known-good files.

Looks like you've found another spot where the output templates as per
the stats file discussion would come in handy.  That said, I think
that if every output was simple CSV, you'd not get any complaints.
Actually, WELF would be fine, too.  Or, for super-bonus-points, JSON
would be ideal.

On Thu, Feb 16, 2012 at 8:51 AM, Josh White <josh at securemind.org> wrote:
> Victor,
>
> That's great, we can do known MW matching with md5sum's this way. Very
> useful!
>
> Josh
>
>
> On Thu, Feb 16, 2012 at 9:21 AM, Victor Julien <victor at inliniac.net> wrote:
>>
>> So I guess the best development happens when you're actually doing
>> boring stuff and you allow yourself to spend 30 minutes on a hunch. Of
>> course the 30 minutes becomes a couple of hours, but who cares :)
>>
>> Anyway, the hunch here was integrating libnss' md5 calculation code into
>> the Suricata file inspection/extraction code, calculating the md5
>> checksum of files on the fly.
>>
>> Turns out it works and at decent speeds too. In a test pcap I extract
>> 8393 files in 16.9 seconds. With md5 on the fly it's 17.6 seconds.
>> Sounds acceptable, no?
>>
>> Right now all I have is writing the md5 to the .meta file, like so:
>>
>> TIME:              10/02/2009-21:35:10.556990
>> PCAP PKT NUM:      6225
>> SRC IP:            61.191.61.40
>> DST IP:            192.168.2.7
>> PROTO:             6
>> SRC PORT:          80
>> DST PORT:          1091
>> FILENAME:          /ww/aa7.exe
>> MAGIC:             PE32 executable for MS Windows (GUI) Intel 80386 32-bit
>> STATE:             CLOSED
>> MD5:               e148eaaadceecb2e3e25fd25809cb5db
>> SIZE:              25712
>>
>> But obviously this needs to be made available to the rule language. I
>> was thinking a simple filemd5 keyword to start, allowing matching on
>> single md5's. But the real value is probably in a keyword that allows
>> you to check an entire db of md5's all at once. I'm sure there are ppl
>> sitting on large collections of known bad md5.
>>
>> Does this all make sense? Any other ideas?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

More information about the Oisf-devel mailing list