[Oisf-users] identifying faulty blacklist sha256 sum
Victor Julien
lists at inliniac.net
Wed May 24 15:17:10 UTC 2017
On 24-05-17 17:07, Victor Julien wrote:
> On 24-05-17 17:01, erik clark wrote:
>> So, I have a rule that looks at sha256 sums to see if any match a
>> blacklist item. However, the alert doesnt tell me what sum fired the
>> alert. How can I do this? I have several sums that I believe are giving
>> abnormally high false positives, as the sum(s) are all associated with
>> yahoo ip space... I need to identify those somehow so I can weed out the
>> faulty sums.
>
> I think right now the only option is to enable file logging with sha256
> logging enabled as well. Then you should be able to correlate based on
> flow id and/or 5tuple.
>
> It would be good if we added the fileinfo record to the alert records
> like we can do with many other record types.
Ah, we're already tracking this feature request in
https://redmine.openinfosecfoundation.org/issues/2015
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list