Project

General

Profile

Actions

Feature #448

open

dlp: md5sum based on part of files

Added by Victor Julien over 12 years ago. Updated almost 6 years ago.

Status:
New
Priority:
Low
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

Privately suggested:

"I love the idea of generating md5 checksums of files passing by. Great idea -- there's just one problem... it's too late!

If you want to shut the barn door (add a firewall blocking rule) before your secret file gets emailed to Country X, you should probably not wait for the entire file to be transmitted (ie: md5 calculated at end) before acting.

Is there a way to generate and act on the md5 checksum of the first 1024 bytes (arbitrary) of a file? Or send the first block of the stream through the UNIX 'file' command in order to prevent all files of type 'X' from going in or out?"

This would require a limit in Suricata used for calculation and then also a tool that creates the md5 for files based on the same limit.

Actions

Also available in: Atom PDF