[Oisf-users] filesha256/filemd5

Peter Manev petermanev at gmail.com
Thu Feb 9 16:01:42 UTC 2017

On Thu, Feb 9, 2017 at 4:50 PM, erik clark <philosnef at gmail.com> wrote:
> Is it possible to do a filesha256 instead of filemd5? I only see
> documentation on filemd5, but have sha256 sums. How can I alert on files
> with sha256 sums? Thanks!

The routine is the same -
alert http any any -> any any (msg:"Black list checksum match and
extract SHA256"; filesha256:fileextraction-chksum.list; filestore;
sid:666; rev:1;)
and then the file - fileextraction-chksum.list in your rules directory
will contain the sha256 sums

Can you please open a doc issue on our redmine for that.

Thank you

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Peter Manev

More information about the Oisf-users mailing list