Project

General

Profile

Actions

Bug #2004

closed

Invalid file hash computation when force-hash is used

Added by Eric Leblond about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The hash computed is not correct in Suricata 3.2 when the 'force-hash' keyword is used. This results in false negative (and possibly false positive) when file[hash] keyword is used in a signature.

Actions #1

Updated by Eric Leblond about 7 years ago

In fact, the hash is not correct for sha256 if we are using force-hash: [md5, sha256] or force-hash: [md5, sha256]. In both cases, md5 hash is correct.

If using force-hash: [sha256] then the sha256 is correct.

Actions #2

Updated by Eric Leblond about 7 years ago

  • % Done changed from 50 to 90
Actions #3

Updated by Eric Leblond about 7 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF