[Bro] Hashing incomplete files
johanna at icir.org
Tue Apr 25 07:49:33 PDT 2017
On Tue, Apr 25, 2017 at 02:34:41PM +0000, McMahon, Kevin J wrote:
> I’m guessing that Bro doesn’t pass a string of nulls to the hash
> function when there’s an undelivered chunk. But that’s what ends up in
> the file (I don’t know if that’s a side effect or intentional – but it
> is useful as all the other bits end up in the right place and you can
> find the holes after the fact). So I wouldn’t expect that the hash
> would be the same.
Just to add a bit to this - I think this behavior is intentional and used,
e.g., when a file is downloaded from over multiple streams simultaneously.
More information about the Bro