[Snort-users] Can snort calculate on-the-fly-md5sum ?

Joel Esler jesler at ...1935...
Wed Oct 3 11:13:41 EDT 2012

On Oct 3, 2012, at 11:09 AM, Joel Esler <jesler at ...1935...> wrote:
> On Oct 3, 2012, at 10:39 AM, Balasubramaniam Natarajan <bala150985 at ...14540...27...> wrote:
>> Hi Snort Users,
>> I was looking at the website http://suricata-ids.org/ and I was wondering if snort has similar capabilities ?  If yes could you point me at a link which helps me to set up the same ?
>> 3. File Identification, MD5 Checksums, and File Extraction
>> Suricata can identify thousands of file types while crossing your network! Not only can you identify it, but should you decide you want to look at it further you can tag it for extraction and the file will be written to disk with a meta data file describing the capture situation and flow. The file’s MD5 checksum is calculated on the fly, so if you have a list of md5 hashes you want to keep in your network, or want to keep out, Suricata can find it.
>> PS: I am not here to ask which IDS/IPS is best,  However I am coming in from a learning perspective so please don't mistake me.
> …and we appreciate that.
> So, I'm going to try and answer this question as delicately as I can without dancing too much around it.
> The answer is, not at the present time.  These features (and more) are in the next couple of versions of Snort.  We have been wanting to do this for some time, but we wanted to take the feature a step further than identifying the file, checking it against a known list, and blocking the file.  It took a lot of code, APIs, and time to be able to do what we wanted to do, but we are looking forward to rolling out new versions of Snort with features that have been a long time coming soon. (Much groundwork must have been laid first.)  We are planning on releasing a beta of Snort 2.9.4, today as a matter of fact, and more information about where we are headed with these features (and more) will be released soon.  As we are a public company, we can't disclose everything we are working on, but we're excited about what the future holds.

In addition.  We've been using the rules we have in the file-identify.rules category to be able to identify file based upon extension, download method, and file magic.  We rolled out this category about two years ago and have been constantly adding to it and adjusting since.  

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121003/1d216079/attachment.html>

More information about the Snort-users mailing list