[Oisf-users] Sha hashes not consistent in 3.2beta1, md5 OK

Jeremy MJ jskier at gmail.com
Tue Oct 11 15:30:35 UTC 2016


Yes sir, can replicate this at two different locations. Testing for
two sites (both pf_ring). Traffic is coming to / from proxy server
(this network device is logging sha256, which is the correct value for
this test). Eve logs here: http://pastebin.com/04NjQHeJ

Sample PDF take from random site:
hxxp://www.isr.umich.edu/cps/M-ABLE/materials/EEWE/Business%20Plan%20Template.pdf
Actual hash values of file:
MD5: 0e26bfdecba382074c4b14d048ccd516
SHA: 081508453775965f197d711584b3343e680af436
SHA256: a5bed200ed4707c0499758f985176135209144e23bcbb8a0a2d21c9abcd3841d

Suricata IDS devices interpretation of hashes:
MD5: 0e26bfdecba382074c4b14d048ccd516 (matches)
SHA: e70f41a89c5389e97e489fbcb5818d6f17cb15ce (mismatch)
SHA256: acdebd0906bbe479fd70be0cbe2c08067562d5590afff6aa88140f029465a67d
(mismatch)

Let me know if you need anything else or have other questions,

--
Jeremy MJ


On Sat, Oct 8, 2016 at 2:11 AM,  <duarte.silva at serializing.me> wrote:
> Is there a way to replicate this behaviour? Can you isolate a use case where
> this always happen?
>
>
>
>
>
> De: Jeremy MJ
> Enviado: 7 de outubro de 2016 23:30
> Para: Duarte Silva
> Cc: Open Information Security Foundation
> Assunto: Re: [Oisf-users] Sha hashes not consistent in 3.2beta1, md5 OK
>
>
>
> Good point. The logging side is reporting incorrect sha hashes
>
> occasionally (sometimes it's correct).
>
>
>
> Just did a test with sha1/256 rule and correct hash, no alert (md5
>
> still correct, sha values are wrong). I'll try the incorrect hashes in
>
> the rules and see what that does early next week.
>
>
>
> --
>
> Jeremy MJ
>
>
>
>
>
> On Fri, Oct 7, 2016 at 2:27 PM, Duarte Silva
>
> <duarte.silva at serializing.me> wrote:
>
>> Hey Jeremy,
>
>>
>
>> are you seeing the problems on the logging or on the rules matching?
>
>>
>
>> Cheers,
>
>> Duarte
>
>>
>
>> On Friday 07 October 2016 12:30:26 Jeremy MJ wrote:
>
>>> Greetings,
>
>>>
>
>>> I am testing sha1/256 hashing in Suricata 3.2beta1. I noticed that the
>
>>> MD5 always matches the file stream, however on occasion the hash for
>
>>> sha1/256 do not match the actual file stream (but the md5 does).
>
>>>
>
>>> Typically this is on larger files. Is there a configuration setting I
>
>>> should look at? Is anyone else observing this?
>
>>>
>
>>> Regards,
>
>>>
>
>>> --
>
>>> Jeremy MJ
>
>>> _______________________________________________
>
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>>> Suricata User Conference November 9-11 in Washington, DC:
>>> http://suricon.net
>
>>
>
>



More information about the Oisf-users mailing list