https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15373#M11288 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Problem will be to capture all the file's stream. With the palo, you're only be able to capture stream if threat is indentify in it and only on a the "infected" part of stream.</P><P></P><P>the SHA256 hash is calculate when creating a forwarding profile for wildfire. May be possible to retrieve it through the API ?</P><P></P><P>V.</P></BODY></HTML> Mon, 08 Jul 2013 07:32:55 GMT VinceM 2013-07-08T07:32:55Z https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15370#M11285 <HTML><HEAD></HEAD><BODY><P>I write SIEM content (Mostly Arcsight and Q1), I have found PAN to be very effective in identifying adverse traffic. One thing that would be great, that in addition to recognizing the file type such as "file Microsoft PE File(52060)" which is useful as a poor mans DLP, with which I can track whats coming and going, it's only so effective by just having the file name. It would be much more effective if the md5 hash value of the file was written to the log file. Then I can correlate the log file md5 hash with my known bad hash database....Can this be done, is it there and I have missed it?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 02 Jul 2013 16:10:24 GMT https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15370#M11285 scottlsattler 2013-07-02T16:10:24Z https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15371#M11286 <HTML><HEAD></HEAD><BODY><P>Unfortunately No.</P><P></P><P>The Palo Alto will not buffer through the entire file in order to get the hash of the file.</P><P></P><P>But if you are using Wildfire to forward certain file types to the wildfire portal, it will give you the SHA for the file but not MD5.</P><P></P><P>I hope this is helpful.</P></BODY></HTML> Tue, 02 Jul 2013 16:35:54 GMT https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15371#M11286 Chatri 2013-07-02T16:35:54Z https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15372#M11287 <HTML><HEAD></HEAD><BODY><P>Wouldnt it still be possible to create a md5 of a stream since md5 works with 512bit blocks?</P><P></P><P><A href="http://en.wikipedia.org/wiki/Cryptographic_hash_function" title="http://en.wikipedia.org/wiki/Cryptographic_hash_function">Cryptographic hash function - Wikipedia, the free encyclopedia</A></P><P></P><P><A href="http://en.wikipedia.org/wiki/Md5" title="http://en.wikipedia.org/wiki/Md5">MD5 - Wikipedia, the free encyclopedia</A></P></BODY></HTML> Thu, 04 Jul 2013 18:29:48 GMT https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15372#M11287 mikand 2013-07-04T18:29:48Z https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15373#M11288 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Problem will be to capture all the file's stream. With the palo, you're only be able to capture stream if threat is indentify in it and only on a the "infected" part of stream.</P><P></P><P>the SHA256 hash is calculate when creating a forwarding profile for wildfire. May be possible to retrieve it through the API ?</P><P></P><P>V.</P></BODY></HTML> Mon, 08 Jul 2013 07:32:55 GMT https://live.paloaltonetworks.com/t5/general-topics/file-types-and-md5-hashes/m-p/15373#M11288 VinceM 2013-07-08T07:32:55Z