[Oisf-users] identifying faulty blacklist sha256 sum

Victor Julien lists at inliniac.net
Wed May 24 15:17:10 UTC 2017

On 24-05-17 17:07, Victor Julien wrote:
> On 24-05-17 17:01, erik clark wrote:
>> So, I have a rule that looks at sha256 sums to see if any match a
>> blacklist item. However, the alert doesnt tell me what sum fired the
>> alert. How can I do this? I have several sums that I believe are giving
>> abnormally high false positives, as the sum(s) are all associated with
>> yahoo ip space... I need to identify those somehow so I can weed out the
>> faulty sums.
> I think right now the only option is to enable file logging with sha256
> logging enabled as well. Then you should be able to correlate based on
> flow id and/or 5tuple.
> It would be good if we added the fileinfo record to the alert records
> like we can do with many other record types.

Ah, we're already tracking this feature request in

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list