6
Respect `read_max` flag when hashing using ssdeep by sharvilshah · Pull Request...
source link: https://github.com/osquery/osquery/pull/7367
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Current Behaviour: all the columns of hash table respect the read_max parameter, except ssdeep one:
$ dd if=/dev/urandom of=/tmp/temp100m bs=1m count=100
osquery> select * from file where path = '/tmp/temp100m';
path = /tmp/temp100m
directory = /tmp
filename = temp100m
inode = 23579345
uid = 501
gid = 0
mode = 0644
device = 0
size = 104857600
block_size = 4096
atime = 1635514968
mtime = 1635514957
ctime = 1635514957
btime = 1635514957
hard_links = 1
symlink = 0
type = regular
bsd_flags =
osquery> select * from hash where path = '/tmp/temp100m';
W1029 19:13:48.575589 319819264 filesystem.cpp:140] Cannot read /tmp/temp100m size exceeds limit: 104857600 > 52428800
path = /tmp/temp100m
directory = /tmp
md5 =
sha1 =
sha256 =
ssdeep = 3145728:9YMq2A0dZIz0Dekp7/29h9o4RKocGQZhWAQg+u2zsZRvGc:+N0d+zkeOKRKCQZEwbvGc
This change will make ssdeep respect the read_max parameter too:
osquery> select * from hash where path = '/tmp/temp100m';
W1029 19:25:40.648039 469794304 filesystem.cpp:140] Cannot read /tmp/temp100m size exceeds limit: 104857600 > 52428800
W1029 19:25:40.648102 469794304 glog_logger.cpp:34] ssdeep failed because file size exceeds read_max: /tmp/temp100m
path = /tmp/temp100m
directory = /tmp
md5 =
sha1 =
sha256 =
ssdeep =
This was previously discussed in office hours: https://github.com/osquery/foundation/blob/master/docs/office-hours/20210622_meeting_notes.md#read_max-parameter-and-ssdeep
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK