[Oisf-devel] extracted to filestore may not always be original file
Victor Julien
victor at inliniac.net
Wed Oct 31 17:08:52 UTC 2012
On 10/29/2012 03:52 PM, Victor Julien wrote:
> On 10/11/2012 11:35 PM, Kyle Creyts wrote:
>> (bug1)
>> I have had this happen to me repeatedly, but I can't reliably
>> reproduce the circumstances; when it does happen, it will happen many
>> times in a row: suricata[2] drops roughly 1 out of every 3 of the
>> files which should have been extracted due to filestore rules[3].
>> When it does happen, all binaries output seem to be in order, but it
>> seems to only output about 1/3 of the files which should have been
>> extracted (as they triggered filestore rules).
>> When it runs like this, I have noticed that many of the suricata
>> workers jump to reading at about 15MB/s from disk for the duration of
>> the run, and the run takes about 20s to complete on the attached pcap.
>> Otherwise, it takes about 5s, and I don't see any major disk hit.
>
> Can you share the rules you are testing with? Privately if you want.
>
Made some fixes today, I now consistently get 251 extracted files.
Can you confirm with the git master or master-1.3.x?
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list