<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Jeremy,<br>
<br>
I've been reviewing my file extraction logs and it definitely
appears that that there is an issue where some http servers result
in truncated files consistently. I'm hazarding a guess it may be
due to some HTTP 1.1 feature (like chunked encoding) not being
fully supported on libhttp.<br>
<br>
However, I tried getting a similar file (the one you referenced
was 404'ed) and didn't see anything unusual:<br>
<br>
<blockquote type="cite">GET /2015/icelandic/dictionary.pdf
HTTP/1.1.<br>
Host: css4.pub.<br>
User-Agent: curl/7.54.1.<br>
Accept: */*.<br>
<br>
HTTP/1.1 200 OK.<br>
Date: Wed, 02 Aug 2017 17:46:15 GMT.<br>
Server: Apache.<br>
Last-Modified: Wed, 15 Apr 2015 22:30:49 GMT.<br>
ETag: "542b36-513cae6241840".<br>
Accept-Ranges: bytes.<br>
Content-Length: 5516086.<br>
Content-Type: application/pdf.<br>
</blockquote>
<br>
As an aside, you might try upgrading to the most recent suricata
release (4.0) and seeing if that fixes the issue.<br>
<br>
-Coop<br>
<br>
On 7/24/2017 11:25 AM, Jeremy A. Grove wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1016558240.9556972.1500920723243.JavaMail.zimbra@quadrantsec.com">
<div>I am using AF-packet with the below options.</div>
<div><br data-mce-bogus="1">
</div>
<div>
<div> - interface: eth0</div>
<div> threads: auto</div>
<div> cluster-id: 99</div>
</div>
<div>
<div> cluster-type: cluster_flow</div>
<div> defrag: yes</div>
</div>
<div> checksum-checks: kernel<br data-mce-bogus="1">
</div>
<div>
<div>
<div>- interface: eth1</div>
<div> threads: auto</div>
<div> cluster-id: 98</div>
<div> cluster-type: cluster_flow</div>
<div> defrag: yes</div>
<div> - interface: eth2</div>
<div> threads: auto</div>
<div> cluster-id: 97</div>
<div> cluster-type: cluster_flow</div>
<div> defrag: yes</div>
<div> - interface: eth3</div>
<div> threads: auto</div>
<div> cluster-id: 96</div>
<div> cluster-type: cluster_flow</div>
<div> defrag: yes</div>
</div>
</div>
<div><br>
</div>
<div data-marker="__SIG_PRE__">
<div><span data-mce-style="font-family: 'Segoe UI', 'Lucida
Sans', sans-serif; font-size: 14.16px;">Jeremy Grove, SSCP</span><br
data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">
<span data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">Senior Information Security
Analyst</span><br data-mce-style="font-family: 'Segoe UI',
'Lucida Sans', sans-serif; font-size: 14.16px;">
<span data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">Quadrant Information
Security</span><br data-mce-style="font-family: 'Segoe UI',
'Lucida Sans', sans-serif; font-size: 14.16px;">
<span data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">o: </span><span
class="Object" id="OBJ_PREFIX_DWT146_com_zimbra_phone"
data-mce-style="color: #005a95; cursor: pointer;
font-family: 'Segoe UI', 'Lucida Sans', sans-serif;
font-size: 14.16px;"><a href="callto:%28904%29296-9100"
target="_blank" data-mce-style="color: #005a95;
text-decoration: none; cursor: pointer;"
moz-do-not-send="true">(904)296-9100</a></span><span
data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;"> x100</span><br
data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">
<span data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">t: </span><span
class="Object" id="OBJ_PREFIX_DWT147_com_zimbra_phone"
data-mce-style="color: #005a95; cursor: pointer;
font-family: 'Segoe UI', 'Lucida Sans', sans-serif;
font-size: 14.16px;"><a href="callto:%28800%29%20538-9357"
target="_blank" data-mce-style="color: #005a95;
text-decoration: none; cursor: pointer;"
moz-do-not-send="true">(800) 538-9357</a></span><span
data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;"> x100</span><br
data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">
<span data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">e:</span><span
data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;"> </span><span
class="Object" id="OBJ_PREFIX_DWT148_ZmEmailObjectHandler"
data-mce-style="color: #005a95; cursor: pointer;
font-family: 'Segoe UI', 'Lucida Sans', sans-serif;
font-size: 14.16px;"><a class="moz-txt-link-abbreviated"
href="mailto:soc@quadrantsec.com" target="_blank"
data-mce-style="color: #005a95; text-decoration: none;
cursor: pointer;" moz-do-not-send="true">soc@quadrantsec.com</a></span><br
data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">
<br data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">
<span data-mce-style="font-family: 'Segoe UI', 'Lucida Sans',
sans-serif; font-size: 14.16px;">Learn more= about our
managed SIEM <span class="Object"
id="OBJ_PREFIX_DWT149_com_zimbra_url"
data-mce-style="color: #005a95; cursor: pointer;"><a
href="https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22"
target="_blank" data-mce-style="color: #005a95;
text-decoration: none; cursor: pointer;"
moz-do-not-send="true">people + product</a></span></span><br>
</div>
</div>
</blockquote>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
<a class="moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042</pre>
</body>
</html>