[Oisf-users] MD5 hashing of files not correct most of the time

Jay M. jskier at gmail.com
Tue Oct 21 17:50:08 UTC 2014


I'm new to the list, previously a snort user.

Anyway, I'm testing suricata on a few boxes, and only need MD5 hashes
logged on one of them (traffic between Cisco WSA proxy <> external
net). I have hashing enabled, and the logs give a value for
fileinfo.md5, however this value does not match the actual hash of the
file itself unless the files are very, very small. I've tried png,
jpg, zip, and pdf files as samples.

I'm running suricata 2.1beta1 (the selks 64-bit Debian live cd) within
VMware 10 which is fed an rspan over USB3 dongle (ax88179_178a).

I did the following to see if this would help (it did not):
sudo ethtool -K eth1 tso off
sudo ethtool -K eth1 gso off
sudo ethtool -K eth1 gro off
sudo ethtool -K eth1 ufo off
sudo ethtool -K eth1 tx off
sudo ethtool -K eth1 rx off

Any insight into what is causing the hashes to be inaccurate? So far
I'm looking into possible causes between the proxy and external net
that may manipulate the files (something like compression). Any other
suggestions are appreciated!

jskier at gmail.com

More information about the Oisf-users mailing list