[Oisf-users] [Ask] suricata filemd5 matching
Peter Manev
petermanev at gmail.com
Sun Jul 21 15:58:43 UTC 2019
On Fri, Jul 5, 2019 at 10:30 PM Andreas Herz <aherz at oisf.net> wrote:
>
> Hi Fathoni,
>
> On 02/07/19 at 10:38, FATHONI ZEPTIAN EKA PURNOMO wrote:
> > I am Fathoni as a student. I have some difficulties with Suricata md5 file
> > matching. I have running suricata in IPS NFQ inline mode with some iptables
> > configuration. But, the problem is suricata can't drop file. I tried to
> > send a file with netcat scenario and before I sent the file, I already
> > md5sum or calculate the md5 file and then write out in blacklist. I write
> > rule like this "drop tcp any any -> any any (msg:"TCP: FILE MD5
> > Found";filemd5:blacklist.txt; sid:10000003; rev:1;). Could u help me?
>
> Could you provide us with more details about your setup?
> What version are you running?
> What are your iptables rules?
> Kernel/Distribution?
> Config settings?
> How do you start suricata?
Would also be interesting to look at a pcap case scenario. For the md5
sum to be calculated it needs to see the whole file - but in IPS ...
when we see the whole file it is probably already too late to "drop"
it.
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list