Hi ! Long story short: Suricata isn’t blocking a external md5file hash that I want, only works on localhost
I have this rule : drop ip any any → any any (msg:“MD5 Test”; filemd5:md5file/md5.txt; sid:600000; rev:1;)
In md5.txt is the hash of a test.exe file on localhost apache.
When I access “localhost/test.exe” suricata doesn’t let me download the file. Great, exactly what I wanted. Now I tried to do the same with an external file, which seems not to work. I have the hash of that .exe, but when I go and download it from another website (exemple.com/test.exe), it let’s me download it instead of blocking it.
So far I figured out that it only works on local files? Can I make it work on external files? If yes, I need some guidance. Thank you!
It should work on both local and remote files.
Is suricata running with exactly the same configuration on both tests (local file & remote)?
Is Suricata listening to the same interface on both cases?
Is the the remote file loaded over http or https?
Remote file loaded with both. Tried with http and https, downloads it anyway.
But let’s say I want to block to download a random pdf, like suricata guide. If I put the hash of the suricata guide pdf, isn’t it supposed to stop it from downloading? I’m asking because I want to be sure that I understand how it works and I’m not trying for nothing.
I want to implement it to stop people in my network from downloading certain files from internet. Is it possible?
Yes it is possible and suricata should prevent the download, however there is limitations, for example, suricata wont be able to detect files over https
As well there is a limitation (based on configuration) on the size of the file that suricata will try to reconstruct and calculate the hash on.
Then why I still can download that file? I tried everything, it doesn’t even alert me when I change from drop to alert. The file has 4 bytes.
I don’t know what I am doing wrong.
This needs some troubleshooting, you could start by checking if Suricata sees the https request to the remote exe file, you can do this by enabling http transactions logging in eve output and trying to access the file and see if suricata sees that request.
If suricata dose not record that traffic, you might need to check why, maybe check if another tool (eg: tcpdump) sees it or not.