Hi I have a malware pcap file that I have for analysis that i have tcpreplayed and the stream data is captured using splunk stream. Now the problem is that I have a list of MD5 hashes as a lookup table and I would like to compare the md5 hashes with the lookup table and the .txt files or .exe files found in the pcap stream. I would like to generate md5 hashes of the .txt and .exe and compare with the lookup table.
I have also researched that I can extract a field as an MD5 hash, e.g. i extract the field src_content as an md5 hash. But when I tried that, it seems like the md5 hash does not match against the .txt file e.g. hi.txt that I have extracted from wireshark. I used md5sum in ubuntu linux to generate the md5 hash for hi.txt
What am I doing wrong here ?
Hi, let me simply the question.
I want to find out how do I generate md5 hashes of payload data in splunk stream.
E.g. the payload data is a pcap file that I have uploaded. In the pcap file, there are malware activities and the malware uploaded some .exe and .txt.
The question is how do I extract these files found in the splunk stream and generate md5 hashes out of it.
I have a lookup table that contains malicious md5 hashes of malware that I want to compare.
Once that is done, how can I compare the hashes with the lookup table ? Can you give an example of the search for this use case ?
I have found out that I can do this by using the content extraction in splunk stream. But the hashes does not match because in splunk stream, the dest and src content payload data contains the content headers, which I do not want. I only want to hash the file inside. How do i do it ?