[Bro] SHA256 Hash File Analyzer

Seth Hall seth at icir.org
Thu Feb 11 07:40:50 PST 2016

> On Feb 10, 2016, at 4:55 PM, Shawn Homan <shawn.homan at gmail.com> wrote:
> I was wondering if anyone can tell me why the sha256 hash functionality isn't turned on by default for the files log.
> I am working on something and needed to turn it on. I normally only use Bro to process pcap files offline and have never used it on a live network. 
> Does it cause performance issues?

When I was setting the default behavior a few years ago, I did some very weak testing and noticed that if I had md5 and sha1 turned on, the performance impact was ~1%, but it jumped up somewhere between 3-4% when I enabled SHA256.  That measurement should be revisited sometime soon though and perhaps even better measurements done to see if that performance impact is still there.

Generally though, there is nothing in place which is stopping you from enabling SHA256 file hashes.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list