<div dir="ltr">Are you hitting stream cutoff? Probably would be useful for you to take sensitive info out of the config i.e. HOME_NET ip's and share your suricata.yaml.<div><br><div>Regards,</div><div><br></div><div>Will</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 21, 2014 at 3:09 PM, Jay M. <span dir="ltr"><<a href="mailto:jskier@gmail.com" target="_blank">jskier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'd like to add that, when I tried to troubleshoot more with the file<br>
store I'm getting nothing but corrupt files and the same unknown hash<br>
values (headers are usually intact though). Also, I'm using af_packet<br>
listen mode.<br>
--<br>
Jay<br>
<a href="mailto:jskier@gmail.com">jskier@gmail.com</a><br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Tue, Oct 21, 2014 at 12:50 PM, Jay M. <<a href="mailto:jskier@gmail.com">jskier@gmail.com</a>> wrote:<br>
> Greetings,<br>
><br>
> I'm new to the list, previously a snort user.<br>
><br>
> Anyway, I'm testing suricata on a few boxes, and only need MD5 hashes<br>
> logged on one of them (traffic between Cisco WSA proxy <> external<br>
> net). I have hashing enabled, and the logs give a value for<br>
> fileinfo.md5, however this value does not match the actual hash of the<br>
> file itself unless the files are very, very small. I've tried png,<br>
> jpg, zip, and pdf files as samples.<br>
><br>
> I'm running suricata 2.1beta1 (the selks 64-bit Debian live cd) within<br>
> VMware 10 which is fed an rspan over USB3 dongle (ax88179_178a).<br>
><br>
> I did the following to see if this would help (it did not):<br>
> sudo ethtool -K eth1 tso off<br>
> sudo ethtool -K eth1 gso off<br>
> sudo ethtool -K eth1 gro off<br>
> sudo ethtool -K eth1 ufo off<br>
> sudo ethtool -K eth1 tx off<br>
> sudo ethtool -K eth1 rx off<br>
><br>
> Any insight into what is causing the hashes to be inaccurate? So far<br>
> I'm looking into possible causes between the proxy and external net<br>
> that may manipulate the files (something like compression). Any other<br>
> suggestions are appreciated!<br>
><br>
> --<br>
> Jay<br>
> <a href="mailto:jskier@gmail.com">jskier@gmail.com</a><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
</div></div></blockquote></div><br></div>