[Oisf-users] filesha256/filemd5

erik clark philosnef at gmail.com
Thu Feb 16 17:39:31 UTC 2017


Specifically, it says "SC_ERR_RULE_KEYWORD_UNKNOWN" unknown rule keyword
'filesha256'

Thanks!

On Thu, Feb 16, 2017 at 12:37 PM, erik clark <philosnef at gmail.com> wrote:

> Ok, so I am running 3.1.3, and I am getting an error,
> "SC_ERR_INVALID_SIGNATURE
>
> My signature is just:
>
> alert http any any -> any any (msg:"blacklist";
> filesha256:sha256-chksum.list; filestore; sid: 667; rev:1;)
>
> Any ideas why I am getting this error?
>
>
> On Thu, Feb 9, 2017 at 11:58 AM, erik clark <philosnef at gmail.com> wrote:
>
>> Thank you! Looks good now.
>>
>> On Thu, Feb 9, 2017 at 11:01 AM, Peter Manev <petermanev at gmail.com>
>> wrote:
>>
>>> On Thu, Feb 9, 2017 at 4:50 PM, erik clark <philosnef at gmail.com> wrote:
>>> > Is it possible to do a filesha256 instead of filemd5? I only see
>>> > documentation on filemd5, but have sha256 sums. How can I alert on
>>> files
>>> > with sha256 sums? Thanks!
>>> >
>>>
>>>
>>> The routine is the same -
>>> alert http any any -> any any (msg:"Black list checksum match and
>>> extract SHA256"; filesha256:fileextraction-chksum.list; filestore;
>>> sid:666; rev:1;)
>>> and then the file - fileextraction-chksum.list in your rules directory
>>> will contain the sha256 sums
>>>
>>> Can you please open a doc issue on our redmine for that.
>>>
>>> Thank you
>>>
>>>
>>>
>>> >
>>> > _______________________________________________
>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/ois
>>> f-users
>>> >
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170216/b0815269/attachment-0002.html>


More information about the Oisf-users mailing list