dlp: md5sum based on part of files
"I love the idea of generating md5 checksums of files passing by. Great idea -- there's just one problem... it's too late!
If you want to shut the barn door (add a firewall blocking rule) before your secret file gets emailed to Country X, you should probably not wait for the entire file to be transmitted (ie: md5 calculated at end) before acting.
Is there a way to generate and act on the md5 checksum of the first 1024 bytes (arbitrary) of a file? Or send the first block of the stream through the UNIX 'file' command in order to prevent all files of type 'X' from going in or out?"
This would require a limit in Suricata used for calculation and then also a tool that creates the md5 for files based on the same limit.