md5, sha256, and sha512

There exists three "hash" options that are each used to check some payload data against a hash value: md5, sha256, and sha512.

Each option requires two arguments: the actual hash enclosed in double quotes and the number of bytes from the payload to get the hash of. Additionally, users can also specify an offset offset argument to check for bytes at a specific location and/or the relative argument to hash the bytes relative to the current cursor location.

The offset value can be either an integer from -65535:65535, or it can be the name of a variable extracted with byte_extract.

Lastly, each hash option can be negated by placing a ! before the hash value.

All three options are structured the same with the only difference being the option name.

Note: Because hash values are typically represented in hex format, the hash values should also be enclosed in vertical bars (|) inside the quotes.

md5

Format:

md5:[!]"|hash|", length length[, offset offset][, relative];

Examples:

md5:"|7cf2db5ec261a0fa27a502d3196a6f60|", length 100, offset 0, relative;

sha256

Format:

sha256:[!]"|hash|", length length[, offset offset][, relative];

Examples:

sha256:"|9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e|", \
       length 100, offset 0, relative;

sha512

Format:

sha512:[!]"|hash|", length length[, offset offset][, relative];

Examples:

sha512:"|d8fefb4255686e6bf365b0f4763fad983f624beb7cbbb59b617c745c346b8db51a870fe0a89cfba036cfbf2d011686b881acd8ab3278b318a304227ac2a99072|", \
       length 100, offset 0, relative;