[Oisf-users] MD5 hashing of files not correct most of the time

Jay M. jskier at gmail.com
Tue Oct 21 20:09:09 UTC 2014


I'd like to add that, when I tried to troubleshoot more with the file
store I'm getting nothing but corrupt files and the same unknown hash
values (headers are usually intact though). Also, I'm using af_packet
listen mode.
--
Jay
jskier at gmail.com


On Tue, Oct 21, 2014 at 12:50 PM, Jay M. <jskier at gmail.com> wrote:
> Greetings,
>
> I'm new to the list, previously a snort user.
>
> Anyway, I'm testing suricata on a few boxes, and only need MD5 hashes
> logged on one of them (traffic between Cisco WSA proxy <> external
> net). I have hashing enabled, and the logs give a value for
> fileinfo.md5, however this value does not match the actual hash of the
> file itself unless the files are very, very small. I've tried png,
> jpg, zip, and pdf files as samples.
>
> I'm running suricata 2.1beta1 (the selks 64-bit Debian live cd) within
> VMware 10 which is fed an rspan over USB3 dongle (ax88179_178a).
>
> I did the following to see if this would help (it did not):
> sudo ethtool -K eth1 tso off
> sudo ethtool -K eth1 gso off
> sudo ethtool -K eth1 gro off
> sudo ethtool -K eth1 ufo off
> sudo ethtool -K eth1 tx off
> sudo ethtool -K eth1 rx off
>
> Any insight into what is causing the hashes to be inaccurate? So far
> I'm looking into possible causes between the proxy and external net
> that may manipulate the files (something like compression). Any other
> suggestions are appreciated!
>
> --
> Jay
> jskier at gmail.com



More information about the Oisf-users mailing list