<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hi,</div><div><br data-mce-bogus="1"></div><div>i need to set up a black md5 list using Suricata2.1beta3 on Selks. I wrote a rule to try:<br data-mce-bogus="1"></div><div></div><div><br data-mce-bogus="1"></div><div data-mce-bogus="1">alert http any any -> any any (msg:"CHECK file MD5"; filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)<br></div><div data-mce-bogus="1"><br data-mce-bogus="1"></div><div data-mce-bogus="1">In md5list.txt i have only the md5 of the file i am trying to check.<br data-mce-bogus="1"></div><div data-mce-bogus="1">I followed the instructions on this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction and set up the suricata.yaml:<br data-mce-bogus="1"></div><div data-mce-bogus="1"><em>stream.checksum_validation</em> yes<br></div><div data-mce-bogus="1"><em>stream.reassembly.depth</em> 0<br></div><div data-mce-bogus="1"><em>libhtp.default-config.request-body-limit </em>0</div><div><em>libhtp.default-config.response-body-limit</em> 0 (the server part is commented)<br></div><div><br data-mce-bogus="1"></div><div>I used the rule to match some pdf (for example the one at this page https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5) and i noticed that the signature matches only on small files (some kb). With bigger files the sig doesn't match and if i search for those files in the files-json.log i see that are always truncated (even if i can read the file with no problems). I even tried to increase the timeouts in the flow-timeouts section of the sutricata.yaml without success.<br></div><div><br data-mce-bogus="1"></div><div>Does anybody have this problem or know how to solve it?<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Thanks,</div><div><br data-mce-bogus="1"></div><div data-mce-bogus="1">Miso Mijatovic</div><div></div><div></div></div></body></html>