<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div><br>On 20 apr 2015, at 17:12, Miso Mijatovic <<a href="mailto:mmijatovic@sorint.it">mmijatovic@sorint.it</a>> wrote:<br><br></div><blockquote type="cite"><div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hi,</div><div><br data-mce-bogus="1"></div><div>i need to set up a black md5 list using Suricata2.1beta3 on Selks. I wrote a rule to try:<br data-mce-bogus="1"></div><div></div><div><br data-mce-bogus="1"></div><div data-mce-bogus="1">alert http any any -> any any (msg:"CHECK file MD5"; filemd5:md5list.txt; gid:10000; sid:1200002; rev:1;)<br></div><div data-mce-bogus="1"><br data-mce-bogus="1"></div><div data-mce-bogus="1">In md5list.txt i have only the md5 of the file i am trying to check.<br data-mce-bogus="1"></div><div data-mce-bogus="1">I followed the instructions on this page <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction</a> and set up the suricata.yaml:<br data-mce-bogus="1"></div><div data-mce-bogus="1"><em>stream.checksum_validation</em> yes<br></div></div></div></blockquote><div><br></div><div>Can you try with</div><div><span style="background-color: rgba(255, 255, 255, 0);"><em>stream.checksum_validation</em> no</span></div><div><span style="background-color: rgba(255, 255, 255, 0);">?</span></div><div><span style="background-color: rgba(255, 255, 255, 0);">Thanks</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><br><blockquote type="cite"><div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div data-mce-bogus="1"><em>stream.reassembly.depth</em> 0<br></div><div data-mce-bogus="1"><em>libhtp.default-config.request-body-limit </em>0</div><div><em>libhtp.default-config.response-body-limit</em> 0 (the server part is commented)<br></div><div><br data-mce-bogus="1"></div><div>I used the rule to match some pdf (for example the one at this page <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/MD5</a>) and i noticed that the signature matches only on small files (some kb). With bigger files the sig doesn't match and if i search for those files in the files-json.log i see that are always truncated (even if i can read the file with no problems). I even tried to increase the timeouts in the flow-timeouts section of the sutricata.yaml without success.<br></div><div><br data-mce-bogus="1"></div><div>Does anybody have this problem or know how to solve it?<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Thanks,</div><div><br data-mce-bogus="1"></div><div data-mce-bogus="1">Miso Mijatovic</div><div></div><div></div></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span>Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net">http://oisfevents.net</a></span></div></blockquote></body></html>