Project

General

Profile

Actions

Feature #448

open

dlp: md5sum based on part of files

Added by Victor Julien almost 12 years ago. Updated about 5 years ago.

Status:
New
Priority:
Low
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

Privately suggested:

"I love the idea of generating md5 checksums of files passing by. Great idea -- there's just one problem... it's too late!

If you want to shut the barn door (add a firewall blocking rule) before your secret file gets emailed to Country X, you should probably not wait for the entire file to be transmitted (ie: md5 calculated at end) before acting.

Is there a way to generate and act on the md5 checksum of the first 1024 bytes (arbitrary) of a file? Or send the first block of the stream through the UNIX 'file' command in order to prevent all files of type 'X' from going in or out?"

This would require a limit in Suricata used for calculation and then also a tool that creates the md5 for files based on the same limit.

Actions #1

Updated by Victor Julien over 5 years ago

  • Effort set to medium
  • Difficulty set to medium
Actions #2

Updated by Victor Julien about 5 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF