[Oisf-users] identifying faulty blacklist sha256 sum

Victor Julien lists at inliniac.net
Wed May 24 15:07:13 UTC 2017

On 24-05-17 17:01, erik clark wrote:
> So, I have a rule that looks at sha256 sums to see if any match a
> blacklist item. However, the alert doesnt tell me what sum fired the
> alert. How can I do this? I have several sums that I believe are giving
> abnormally high false positives, as the sum(s) are all associated with
> yahoo ip space... I need to identify those somehow so I can weed out the
> faulty sums.

I think right now the only option is to enable file logging with sha256
logging enabled as well. Then you should be able to correlate based on
flow id and/or 5tuple.

It would be good if we added the fileinfo record to the alert records
like we can do with many other record types.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list