[Oisf-users] Sha hashes not consistent in 3.2beta1, md5 OK

duarte.silva at serializing.me duarte.silva at serializing.me
Sat Oct 8 07:11:55 UTC 2016

Is there a way to replicate this behaviour? Can you isolate a use case where this always happen?

De: Jeremy MJ
Enviado: 7 de outubro de 2016 23:30
Para: Duarte Silva
Cc: Open Information Security Foundation
Assunto: Re: [Oisf-users] Sha hashes not consistent in 3.2beta1, md5 OK

Good point. The logging side is reporting incorrect sha hashes
occasionally (sometimes it's correct).

Just did a test with sha1/256 rule and correct hash, no alert (md5
still correct, sha values are wrong). I'll try the incorrect hashes in
the rules and see what that does early next week.

Jeremy MJ

On Fri, Oct 7, 2016 at 2:27 PM, Duarte Silva
<duarte.silva at serializing.me> wrote:
> Hey Jeremy,
> are you seeing the problems on the logging or on the rules matching?
> Cheers,
> Duarte
> On Friday 07 October 2016 12:30:26 Jeremy MJ wrote:
>> Greetings,
>> I am testing sha1/256 hashing in Suricata 3.2beta1. I noticed that the
>> MD5 always matches the file stream, however on occasion the hash for
>> sha1/256 do not match the actual file stream (but the md5 does).
>> Typically this is on larger files. Is there a configuration setting I
>> should look at? Is anyone else observing this?
>> Regards,
>> --
>> Jeremy MJ
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161008/0050473b/attachment-0002.html>

More information about the Oisf-users mailing list