Hash alerts no detected

suricata.yaml (75.0 KB)
Suricata version 6.0.10 RELEASE
In Suricata I have configured the following way. I share my yaml, my hash alert format. and the file containing the hash. I also share the way I get the file on my network.

I configure an IIS on another pc where I host the .exe of which I have its MD5 and SHA256 hash that I obtained with powershell with the Get-FileHash command.

I use:
wget http://pc-ip-on-network/mysql-connector-net-8.4.0.msi


one per line


one per line

I use this rule for SHA256
alert http any any → any any (msg:“Black list checksum match and extract SHA256”; filesha256:/var/lib/suricata/rules/rules/sha256_iocs.list; filestore; classtype:classtype-test; priority:1; sid:6; rev:1;)

and I use this rule for MD5
alert http any any → any any (msg:“Black list checksum match and extract MD5”; filemd5:/var/lib/suricata/rules/rules/md5_iocs.list; filestore; classtype:classtype-test; priority:1; sid:7; rev:1;)

I use that particular path, it is not an error.

I am on a mirror port where I see all the network traffic, I used http to pass the file according to the rule. Can someone help me with the solution to my problem? thank you so much

Would you have a pcap to reproduce ?
Did you try with Suricata 7 ?