Victor, <br><br>That's great, we can do known MW matching with md5sum's this way. Very useful!<br><br>Josh<br><br><div class="gmail_quote">On Thu, Feb 16, 2012 at 9:21 AM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So I guess the best development happens when you're actually doing<br>
boring stuff and you allow yourself to spend 30 minutes on a hunch. Of<br>
course the 30 minutes becomes a couple of hours, but who cares :)<br>
<br>
Anyway, the hunch here was integrating libnss' md5 calculation code into<br>
the Suricata file inspection/extraction code, calculating the md5<br>
checksum of files on the fly.<br>
<br>
Turns out it works and at decent speeds too. In a test pcap I extract<br>
8393 files in 16.9 seconds. With md5 on the fly it's 17.6 seconds.<br>
Sounds acceptable, no?<br>
<br>
Right now all I have is writing the md5 to the .meta file, like so:<br>
<br>
TIME: 10/02/2009-21:35:10.556990<br>
PCAP PKT NUM: 6225<br>
SRC IP: 61.191.61.40<br>
DST IP: 192.168.2.7<br>
PROTO: 6<br>
SRC PORT: 80<br>
DST PORT: 1091<br>
FILENAME: /ww/aa7.exe<br>
MAGIC: PE32 executable for MS Windows (GUI) Intel 80386 32-bit<br>
STATE: CLOSED<br>
MD5: e148eaaadceecb2e3e25fd25809cb5db<br>
SIZE: 25712<br>
<br>
But obviously this needs to be made available to the rule language. I<br>
was thinking a simple filemd5 keyword to start, allowing matching on<br>
single md5's. But the real value is probably in a keyword that allows<br>
you to check an entire db of md5's all at once. I'm sure there are ppl<br>
sitting on large collections of known bad md5.<br>
<br>
Does this all make sense? Any other ideas?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
<br>
</font></span></blockquote></div><br>