[Oisf-users] MD5 hashing of files not correct most of the time

Will Metcalf william.metcalf at gmail.com
Tue Oct 21 20:11:38 UTC 2014


Are you hitting stream cutoff? Probably would be useful for you to take
sensitive info out of the config i.e. HOME_NET ip's and share your
suricata.yaml.

Regards,

Will

On Tue, Oct 21, 2014 at 3:09 PM, Jay M. <jskier at gmail.com> wrote:

> I'd like to add that, when I tried to troubleshoot more with the file
> store I'm getting nothing but corrupt files and the same unknown hash
> values (headers are usually intact though). Also, I'm using af_packet
> listen mode.
> --
> Jay
> jskier at gmail.com
>
>
> On Tue, Oct 21, 2014 at 12:50 PM, Jay M. <jskier at gmail.com> wrote:
> > Greetings,
> >
> > I'm new to the list, previously a snort user.
> >
> > Anyway, I'm testing suricata on a few boxes, and only need MD5 hashes
> > logged on one of them (traffic between Cisco WSA proxy <> external
> > net). I have hashing enabled, and the logs give a value for
> > fileinfo.md5, however this value does not match the actual hash of the
> > file itself unless the files are very, very small. I've tried png,
> > jpg, zip, and pdf files as samples.
> >
> > I'm running suricata 2.1beta1 (the selks 64-bit Debian live cd) within
> > VMware 10 which is fed an rspan over USB3 dongle (ax88179_178a).
> >
> > I did the following to see if this would help (it did not):
> > sudo ethtool -K eth1 tso off
> > sudo ethtool -K eth1 gso off
> > sudo ethtool -K eth1 gro off
> > sudo ethtool -K eth1 ufo off
> > sudo ethtool -K eth1 tx off
> > sudo ethtool -K eth1 rx off
> >
> > Any insight into what is causing the hashes to be inaccurate? So far
> > I'm looking into possible causes between the proxy and external net
> > that may manipulate the files (something like compression). Any other
> > suggestions are appreciated!
> >
> > --
> > Jay
> > jskier at gmail.com
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141021/e63b4ba6/attachment-0002.html>


More information about the Oisf-users mailing list