[Oisf-users] Sha hashes not consistent in 3.2beta1, md5 OK

Duarte Silva duarte.silva at serializing.me
Tue Oct 11 18:28:02 UTC 2016


Not that I can think of. Maybe the other guys at the mailing list can shim in 
with some ideas.

On Tuesday 11 October 2016 13:01:24 Jeremy MJ wrote:
> I'll try the latest git.
> 
> Mostly agree with the pcap method, although I still wonder a little
> about pfring (will try to test with pcap too). Is there anything else
> I should be looking at?
> 
> --
> Jeremy MJ
> 
> 
> On Tue, Oct 11, 2016 at 12:39 PM, Duarte Silva
> 
> <duarte.silva at serializing.me> wrote:
> > Hi Jeremy,
> > 
> > tried with the latest version from Git, and I'm not able to replicate the
> > issue. My logs report the correct file hashes.
> > 
> > {"timestamp":"2016-10-11T17:30:15.949381+0000","flow_id":1222313897254293,
> > "in_iface":"enp0s31f6","event_type":"fileinfo","src_ip":"141.211.32.32","s
> > rc_port":80,"dest_ip":"192.168.0.1","dest_port":46650,"proto":"TCP","http"
> > : {"hostname":"www.isr.umich.edu","url":"\/cps\/M-
> > ABLE\/materials\/EEWE\/Business%20Plan%20Template.pdf","http_user_agent":"
> > curl\/7.50.3","http_content_type":"application\/pdf","http_method":"GET","
> > protocol":"HTTP\/1.1","status":200,"length":748225},"app_proto":"http","fi
> > leinfo": {"filename":"\/cps\/M-ABLE\/materials\/EEWE\/Business Plan
> > Template.pdf","state":"CLOSED","md5":"0e26bfdecba382074c4b14d048ccd516","s
> > ha1":"081508453775965f197d711584b3343e680af436","sha256":"a5bed200ed4707c0
> > 499758f985176135209144e23bcbb8a0a2d21c9abcd3841d","stored":true,"file_id":
> > 5,"size":748225,"tx_id":0}}
> > 
> > I have also enabled file storing and this is the results:
> > 
> > $ md5sum files/file.5
> > 0e26bfdecba382074c4b14d048ccd516  files/file.5
> > 
> > $ sha1sum files/file.5
> > 081508453775965f197d711584b3343e680af436  files/file.5
> > 
> > $ sha256sum files/file.5
> > a5bed200ed4707c0499758f985176135209144e23bcbb8a0a2d21c9abcd3841d 
> > files/file.5
> > 
> > $  cat files/file.5.meta
> > TIME:              10/11/2016-19:30:14.563844
> > SRC IP:            141.211.32.32
> > DST IP:            192.168.0.1
> > PROTO:             6
> > SRC PORT:          80
> > DST PORT:          46650
> > APP PROTO:         http
> > HTTP URI:          /cps/M-ABLE/materials/EEWE/Business Plan Template.pdf?d
> > HTTP HOST:         www.isr.umich.edu
> > HTTP REFERER:      <unknown>
> > HTTP USER AGENT:   curl/7.50.3
> > FILENAME:          /cps/M-ABLE/materials/EEWE/Business Plan Template.pdf
> > MAGIC:             <unknown>
> > STATE:             CLOSED
> > MD5:               0e26bfdecba382074c4b14d048ccd516
> > SHA1:              081508453775965f197d711584b3343e680af436
> > SHA256:
> > a5bed200ed4707c0499758f985176135209144e23bcbb8a0a2d21c9abcd3841d
> > SIZE:              748225
> > 
> > I used PCAP capture method but that wouldn't have much influence since MD5
> > is apparently reporting the hash correctly.
> > 
> > Cheers,
> > Duarte
> > 
> > On Tuesday 11 October 2016 10:30:35 Jeremy MJ wrote:
> >> Yes sir, can replicate this at two different locations. Testing for
> >> two sites (both pf_ring). Traffic is coming to / from proxy server
> >> (this network device is logging sha256, which is the correct value for
> >> this test). Eve logs here: http://pastebin.com/04NjQHeJ
> >> 
> >> Sample PDF take from random site:
> >> hxxp://www.isr.umich.edu/cps/M-ABLE/materials/EEWE/Business%20Plan%20Temp
> >> lat e.pdf Actual hash values of file:
> >> MD5: 0e26bfdecba382074c4b14d048ccd516
> >> SHA: 081508453775965f197d711584b3343e680af436
> >> SHA256: a5bed200ed4707c0499758f985176135209144e23bcbb8a0a2d21c9abcd3841d
> >> 
> >> Suricata IDS devices interpretation of hashes:
> >> MD5: 0e26bfdecba382074c4b14d048ccd516 (matches)
> >> SHA: e70f41a89c5389e97e489fbcb5818d6f17cb15ce (mismatch)
> >> SHA256: acdebd0906bbe479fd70be0cbe2c08067562d5590afff6aa88140f029465a67d
> >> (mismatch)
> >> 
> >> Let me know if you need anything else or have other questions,
> >> 
> >> --
> >> Jeremy MJ
> >> 
> >> On Sat, Oct 8, 2016 at 2:11 AM,  <duarte.silva at serializing.me> wrote:
> >> > Is there a way to replicate this behaviour? Can you isolate a use case
> >> > where this always happen?
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > De: Jeremy MJ
> >> > Enviado: 7 de outubro de 2016 23:30
> >> > Para: Duarte Silva
> >> > Cc: Open Information Security Foundation
> >> > Assunto: Re: [Oisf-users] Sha hashes not consistent in 3.2beta1, md5 OK
> >> > 
> >> > 
> >> > 
> >> > Good point. The logging side is reporting incorrect sha hashes
> >> > 
> >> > occasionally (sometimes it's correct).
> >> > 
> >> > 
> >> > 
> >> > Just did a test with sha1/256 rule and correct hash, no alert (md5
> >> > 
> >> > still correct, sha values are wrong). I'll try the incorrect hashes in
> >> > 
> >> > the rules and see what that does early next week.
> >> > 
> >> > 
> >> > 
> >> > --
> >> > 
> >> > Jeremy MJ
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > On Fri, Oct 7, 2016 at 2:27 PM, Duarte Silva
> >> > 
> >> > <duarte.silva at serializing.me> wrote:
> >> >> Hey Jeremy,
> >> >> 
> >> >> 
> >> >> 
> >> >> are you seeing the problems on the logging or on the rules matching?
> >> >> 
> >> >> 
> >> >> 
> >> >> Cheers,
> >> >> 
> >> >> Duarte
> >> >> 
> >> >> On Friday 07 October 2016 12:30:26 Jeremy MJ wrote:
> >> >>> Greetings,
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> I am testing sha1/256 hashing in Suricata 3.2beta1. I noticed that
> >> >>> the
> >> >>> 
> >> >>> MD5 always matches the file stream, however on occasion the hash for
> >> >>> 
> >> >>> sha1/256 do not match the actual file stream (but the md5 does).
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Typically this is on larger files. Is there a configuration setting I
> >> >>> 
> >> >>> should look at? Is anyone else observing this?
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Regards,
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> --
> >> >>> 
> >> >>> Jeremy MJ
> >> >>> 
> >> >>> _______________________________________________
> >> >>> 
> >> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> >>> 
> >> >>> Site: http://suricata-ids.org | Support:
> >> >>> http://suricata-ids.org/support/
> >> >>> 
> >> >>> List:
> >> >>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >>> 
> >> >>> Suricata User Conference November 9-11 in Washington, DC:
> >> >>> http://suricon.net



More information about the Oisf-users mailing list