File Types and Md5 Hashes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File Types and Md5 Hashes

L1 Bithead

I write SIEM content (Mostly Arcsight and Q1), I have found PAN to be very effective in identifying adverse traffic. One thing that would be great, that in addition to recognizing the file type such as "file Microsoft PE File(52060)" which is useful as a poor mans DLP, with which I can track whats coming and going, it's only so effective by just having the file name. It would be much more effective if the md5 hash value of the file was written to the log file. Then I can correlate the log file md5 hash with my known bad hash database....Can this be done, is it there and I have missed it?

Thanks

3 REPLIES 3

L3 Networker

Unfortunately No.

The Palo Alto will not buffer through the entire file in order to get the hash of the file.

But if you are using Wildfire to forward certain file types to the wildfire portal, it will give you the SHA for the file but not MD5.

I hope this is helpful.

Wouldnt it still be possible to create a md5 of a stream since md5 works with 512bit blocks?

Cryptographic hash function - Wikipedia, the free encyclopedia

MD5 - Wikipedia, the free encyclopedia

Hi,

Problem will be to capture all the file's stream. With the palo, you're only be able to capture stream if threat is indentify in it and only on a the "infected" part of stream.

the SHA256 hash is calculate when creating a forwarding profile for wildfire. May be possible to retrieve it through the API ?

V.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!