<div dir="ltr">Hello,<div><br></div><div>I recently enabled filestore and am working on MD5 alerting. The issue I am running into is that I am randomly getting files listed in files-json.log as truncated (I am currently mostly interested in just Win32 executables), and as such the hash is not generated. If I download an executable repeatedly, it will sometimes generate the MD5 successfully, but I cannot seem to figure out what specifically is the problem. Looking at the stats file, no packets are being dropped. If anyone has any suggestions, it would be greatly appreciated. Thanks.</div>
<div><br></div><div><br></div><div>Configuration settings that may or may not prove useful:</div><div><br></div><div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"> - file-store:</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
enabled: yes # set to yes to enable</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"> log-dir: files # directory to store the files</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
force-magic: yes # force logging magic on all stored files</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"> force-md5: yes # force logging of md5 checksums</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
waldo: file.waldo # waldo file to store the file_id across runs</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><br></div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
# output module to log files tracked in a easily parsable json format</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"> - file-log:</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
enabled: yes</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"> filename: files-json.log</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"> append: no</div>
<div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"> force-magic: yes # force logging magic on all logged files</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
force-md5: yes # force logging of md5 checksums</div></div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><br></div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
<br></div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><div><div>af-packet:</div><div> - interface: em3 em4</div><div> threads: 8<br></div><div> cluster-id: 99<br></div><div> cluster-type: cluster_cpu<br>
</div><div> defrag: yes<br></div><div> use-mmap: yes<br></div><div> checksum-checks: no<br></div><div> threads: 1<br></div></div><div><div> cluster-id: 98</div><div> cluster-type: cluster_flow</div><div>
defrag: yes</div><div><br></div></div><div><div>stream:</div><div> memcap: 4gb</div><div> max-sessions: 2000000</div><div> prealloc-sessions: 1000000</div><div> checksum-validation: yes # reject wrong csums</div>
<div> inline: no # auto will use inline mode in IPS mode, yes or no set it statically</div><div> reassembly:</div><div> memcap: 8gb</div><div> depth: 0 # reassemble 1mb into a stream</div>
<div> toserver-chunk-size: 2560</div><div> toclient-chunk-size: 2560</div></div><div><br></div><div><div>pfring:</div><div> - interface: em3 em4</div><div> threads: 8</div><div> cluster-id: 99</div><div> cluster-type: cluster_flow</div>
<div> # bpf filter for this interface</div><div> bpf-filter: tcp</div><div> checksum-checks: no<br></div></div><div><br></div><div><div>libhtp:</div><div><br></div><div> default-config:</div><div> personality: IDS</div>
<div><br></div><div> request-body-limit: 0</div><div> response-body-limit: 0</div><div><br></div><div> # inspection limits</div><div> request-body-minimal-inspect-size: 32kb</div><div> request-body-inspect-window: 4kb</div>
<div> response-body-minimal-inspect-size: 32kb</div><div> response-body-inspect-window: 4kb</div><div><br></div><div> # decoding</div><div> double-decode-path: no</div><div> double-decode-query: no</div>
</div></div></div>