Re: Can snort calculate on-the-fly-md5sum ?

[Joel Esler <jesler () sourcefire com>]

On Oct 3, 2012, at 11:09 AM, Joel Esler <jesler () sourcefire com> wrote:
> On Oct 3, 2012, at 10:39 AM, Balasubramaniam Natarajan <bala150985 () gmail com> wrote:
>
> > Hi Snort Users,
> >
> > I was looking at the website http://suricata-ids.org/ and I was wondering if snort has similar capabilities ?  If 
> > yes could you point me at a link which helps me to set up the same ?
> > 3. File Identification, MD5 Checksums, and File Extraction
> >
> > Suricata can identify thousands of file types while crossing your network! Not only can you identify it, but should 
> > you decide you want to look at it further you can tag it for extraction and the file will be written to disk with a 
> > meta data file describing the capture situation and flow. The file’s MD5 checksum is calculated on the fly, so if 
> > you have a list of md5 hashes you want to keep in your network, or want to keep out, Suricata can find it.
> >
> > PS: I am not here to ask which IDS/IPS is best,  However I am coming in from a learning perspective so please don't 
> > mistake me.
>
> …and we appreciate that.
>
> So, I'm going to try and answer this question as delicately as I can without dancing too much around it.
>
> The answer is, not at the present time.  These features (and more) are in the next couple of versions of Snort.  We 
> have been wanting to do this for some time, but we wanted to take the feature a step further than identifying the 
> file, checking it against a known list, and blocking the file.  It took a lot of code, APIs, and time to be able to 
> do what we wanted to do, but we are looking forward to rolling out new versions of Snort with features that have been 
> a long time coming soon. (Much groundwork must have been laid first.)  We are planning on releasing a beta of Snort 
> 2.9.4, today as a matter of fact, and more information about where we are headed with these features (and more) will 
> be released soon.  As we are a public company, we can't disclose everything we are working on, but we're excited 
> about what the future holds.

In addition.  We've been using the rules we have in the file-identify.rules category to be able to identify file based 
upon extension, download method, and file magic.  We rolled out this category about two years ago and have been 
constantly adding to it and adjusting since.  

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!