Snort mailing list archives
Re: Can snort calculate on-the-fly-md5sum ?
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 3 Oct 2012 11:13:41 -0400
On Oct 3, 2012, at 11:09 AM, Joel Esler <jesler () sourcefire com> wrote:
On Oct 3, 2012, at 10:39 AM, Balasubramaniam Natarajan <bala150985 () gmail com> wrote:Hi Snort Users, I was looking at the website http://suricata-ids.org/ and I was wondering if snort has similar capabilities ? If yes could you point me at a link which helps me to set up the same ? 3. File Identification, MD5 Checksums, and File Extraction Suricata can identify thousands of file types while crossing your network! Not only can you identify it, but should you decide you want to look at it further you can tag it for extraction and the file will be written to disk with a meta data file describing the capture situation and flow. The file’s MD5 checksum is calculated on the fly, so if you have a list of md5 hashes you want to keep in your network, or want to keep out, Suricata can find it. PS: I am not here to ask which IDS/IPS is best, However I am coming in from a learning perspective so please don't mistake me.…and we appreciate that. So, I'm going to try and answer this question as delicately as I can without dancing too much around it. The answer is, not at the present time. These features (and more) are in the next couple of versions of Snort. We have been wanting to do this for some time, but we wanted to take the feature a step further than identifying the file, checking it against a known list, and blocking the file. It took a lot of code, APIs, and time to be able to do what we wanted to do, but we are looking forward to rolling out new versions of Snort with features that have been a long time coming soon. (Much groundwork must have been laid first.) We are planning on releasing a beta of Snort 2.9.4, today as a matter of fact, and more information about where we are headed with these features (and more) will be released soon. As we are a public company, we can't disclose everything we are working on, but we're excited about what the future holds.
In addition. We've been using the rules we have in the file-identify.rules category to be able to identify file based upon extension, download method, and file magic. We rolled out this category about two years ago and have been constantly adding to it and adjusting since. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can snort calculate on-the-fly-md5sum ? Balasubramaniam Natarajan (Oct 03)
- Re: Can snort calculate on-the-fly-md5sum ? Pratik Narang (Oct 03)
- Re: Can snort calculate on-the-fly-md5sum ? Joel Esler (Oct 03)
- Re: Can snort calculate on-the-fly-md5sum ? Joel Esler (Oct 03)
- Re: Can snort calculate on-the-fly-md5sum ? Balasubramaniam Natarajan (Oct 03)