[Oisf-users] MD5 hashing of files not correct most of the time
Jay M.
jskier at gmail.com
Tue Oct 21 17:50:08 UTC 2014
Greetings,
I'm new to the list, previously a snort user.
Anyway, I'm testing suricata on a few boxes, and only need MD5 hashes
logged on one of them (traffic between Cisco WSA proxy <> external
net). I have hashing enabled, and the logs give a value for
fileinfo.md5, however this value does not match the actual hash of the
file itself unless the files are very, very small. I've tried png,
jpg, zip, and pdf files as samples.
I'm running suricata 2.1beta1 (the selks 64-bit Debian live cd) within
VMware 10 which is fed an rspan over USB3 dongle (ax88179_178a).
I did the following to see if this would help (it did not):
sudo ethtool -K eth1 tso off
sudo ethtool -K eth1 gso off
sudo ethtool -K eth1 gro off
sudo ethtool -K eth1 ufo off
sudo ethtool -K eth1 tx off
sudo ethtool -K eth1 rx off
Any insight into what is causing the hashes to be inaccurate? So far
I'm looking into possible causes between the proxy and external net
that may manipulate the files (something like compression). Any other
suggestions are appreciated!
--
Jay
jskier at gmail.com
More information about the Oisf-users
mailing list