<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=PT link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Is there a way to replicate this behaviour? Can you isolate a use case where this always happen?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>De: </b><a href="mailto:jskier@gmail.com">Jeremy MJ</a><br><b>Enviado: </b>7 de outubro de 2016 23:30<br><b>Para: </b><a href="mailto:duarte.silva@serializing.me">Duarte Silva</a><br><b>Cc: </b><a href="mailto:oisf-users@lists.openinfosecfoundation.org">Open Information Security Foundation</a><br><b>Assunto: </b>Re: [Oisf-users] Sha hashes not consistent in 3.2beta1, md5 OK</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Good point. The logging side is reporting incorrect sha hashes</p><p class=MsoNormal>occasionally (sometimes it's correct).</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Just did a test with sha1/256 rule and correct hash, no alert (md5</p><p class=MsoNormal>still correct, sha values are wrong). I'll try the incorrect hashes in</p><p class=MsoNormal>the rules and see what that does early next week.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>--</p><p class=MsoNormal>Jeremy MJ</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On Fri, Oct 7, 2016 at 2:27 PM, Duarte Silva</p><p class=MsoNormal><duarte.silva@serializing.me> wrote:</p><p class=MsoNormal>> Hey Jeremy,</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> are you seeing the problems on the logging or on the rules matching?</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Cheers,</p><p class=MsoNormal>> Duarte</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> On Friday 07 October 2016 12:30:26 Jeremy MJ wrote:</p><p class=MsoNormal>>> Greetings,</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> I am testing sha1/256 hashing in Suricata 3.2beta1. I noticed that the</p><p class=MsoNormal>>> MD5 always matches the file stream, however on occasion the hash for</p><p class=MsoNormal>>> sha1/256 do not match the actual file stream (but the md5 does).</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> Typically this is on larger files. Is there a configuration setting I</p><p class=MsoNormal>>> should look at? Is anyone else observing this?</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> Regards,</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> --</p><p class=MsoNormal>>> Jeremy MJ</p><p class=MsoNormal>>> _______________________________________________</p><p class=MsoNormal>>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org</p><p class=MsoNormal>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/</p><p class=MsoNormal>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</p><p class=MsoNormal>>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>