[Oisf-devel] file extraction -- Re: [COMMIT] OISF branch, master, updated. a556338936ad3cd2b0379a6985fb62084368d99e

Victor Julien victor at inliniac.net
Tue Nov 29 17:28:46 UTC 2011

On 11/29/2011 06:20 PM, Chris Wakelin wrote:
>> Finally there is the filestore keyword. It is the simplest of all: if
>> the rule matches, the files will be written to disk.
> I've been trying this with a few pcaps. However, I've found if I've
> added "filestore" to some rules, it seems to write files even when they
> don't match.

What rules have you modified for it?

> I've got a couple of examples of truncated files as well, even with
> libhtp/default-config/response-body-limit: 0
> stream/reassembly/depth: 0
> though it's possible, I suppose, that the pcaps are broken.

There are some of those, but it can also be an issue in our code. Things
can break on the stream level, in the http parsing level and finally in
the file handling itself :)

> In practice, I think limits of 1MB (it's very rare to see a malicious
> binary bigger than this) or perhaps 10MB should be enough for most
> cases. Is it possible to have a time limit as well (similar to the
> streamdb Martin was talking about)?

Not sure I see the value of the time out here. We start writing to disk
as soon as we know we want to store the file, then we just feed new data
into it until we hit some kind of limit. Nothing much residing in memory.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list