Hi Daniel, Thank you for the input. I may be a bit confused on what you are explaning -- let me try to explain a little more of what I'm trying to figure out. What we did was we took a file that we were alerted on and used third party programs to get the MD5 hash of the file. We compared that to the MD5 hash that OSSEC had after a syscheck scan and they were both different. I am aware that OSSEC outputs MD5/SHA1 hashes in alerts and keeps them in the syscheck databases, but I am interested in how OSSEC comes up with the MD5/SHA1 hash and why it may be different than a couple third party programs that I used to get the MD5/SHA1 hashes.
Again, thank you for your help so far. On Jun 29, 9:47 am, Daniel Cid <[email protected]> wrote: > Hi Pat, > > OSSEC uses the sha1sum + md5sum concatenated together. So you have to > use both to compare the results... > > That's why we are theoretically safe, because any attack against MD5 > won't work against the sha1 sum and vice > versa > > thanks, > > > > On Tue, Jun 28, 2011 at 5:30 PM, Pat <[email protected]> wrote: > > Hi All, > > > I wanted to see if someone could help me understand this. I get a > > difference in MD5 hashes between the MD5 hashes on OSSEC and a third > > party MD5 hash generator (WinMD5.exe). I am running the same version > > of the file but I get two different hashes from both of these. Is > > there something that OSSEC is putting into the equation of the MD5 > > hash that may make it differ than one of a third party tool? > > > Thank you in advanced for your help! > > > Pat
