the "File Analysis" framework's "hash-all-files" script is used to retrieve the MD5, SHA1 and SHA256 hashes of the detected files
#zeek frameworks
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks
cluster dpd intel notice signatures
control files netcontrol packet-filter software
#
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks/files/
detect-MHR.zeek entropy-test-all-files.zeek extract-all-files.zeek hash-all-files.zeek
root@dco:~$ cat /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
##! Perform MD5 and SHA1 hashing on all files.
@load base/files/hash
event file_new(f: fa_file)
{
Files::add_analyzer(f, Files::ANALYZER_MD5);
Files::add_analyzer(f, Files::ANALYZER_SHA1);
}
#usage
root@dco:~$ zeek -C -r case1.pcap /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
root@dco:~$ cat files.log | zeek-cut md5 sha1 sha256
cd5a4d3fdd5bffc16bf959ef75cf37bc 33bf88d5b82df3723d5863c7d23445e345828904 6137f8db2192e638e13610f75e73b9247c05f4706f0afd1fdb132d86de6b4012
b5243ec1df7d1d5304189e7db2744128 a66bd2557016377dfb95a87c21180e52b23d2e4e f808229aa516ba134889f81cd699b8d246d46d796b55e13bee87435889a054fb
cc28e40b46237ab6d5282199ef78c464 0d5c820002cf93384016bd4a2628dcc5101211f4
