[Bro] no sha1\md5 for some logs in files.log
Seth Hall
seth at corelight.com
Thu Jun 8 06:31:38 PDT 2017
Hi Izik,
Your file had a content gap (458752 bytes missing). Since the file was
transferred over SMB, it's very possible that only part of the file was
actually transferred due to offset reads or writes. It's one of the
downsides of monitoring file system protocols since it's very common for
software to only read or write a portion of a file after seeking. The
reason that no hashes are provided in that case is that the hash wouldn't
mean anything since it would just be a hash of some fairly arbitrary
portion of the file.
.Seth
On Thu, Jun 8, 2017 at 4:51 AM, Izik Birka <Izik.Birka at hot.net.il> wrote:
> Hi
>
> Why there some logs in files.log that not contains the sha1 or md5 value
> ?
>
>
>
> For example :
>
>
>
> Jun 8 11:32:39 127.0.0.1 bro_files: 1496910758.272740|
> FIMpTB242jcRsKCCYj|x.x.x.x|x.x.x.x|CAuOUv3lwBwigjH7mk|SMB|
> 0|MD5,SHA1|-|test\test111\bro\go.pdf|0.021820|F|F|581600|
> 1040352|458752|65536|F|-|-|-|-|-
>
>
>
>
>
>
>
> [image: Enjoy] <http://www.hot.net.il/>
>
> איציק בירקה
> רכז תחום אבטחת מידע מערכות מידע
> חטיבת מערכות מידע
> 077-7077790 | 053-6064571
>
> P חשבו על הסביבה בטרם תדפיסו מייל זה
>
>
> [image: Enjoy] <http://www.hot.net.il/>
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain materials
> protected by copyright or information that is non-public, proprietary,
> privileged, confidential, and exempt from disclosure under applicable law
> or agreement. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication by error, notify the sender immediately and delete this
> message immediately. Thank you.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170608/4401aee2/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 18831 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170608/4401aee2/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 43264 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170608/4401aee2/attachment-0003.jpg
More information about the Bro
mailing list