[Oisf-devel] extracted to filestore may not always be original file

Victor Julien victor at inliniac.net
Fri Oct 12 14:52:09 UTC 2012

On 10/11/2012 11:35 PM, Kyle Creyts wrote:
> Has anyone else noticed that some percentage of the time[1] when a
> rule with filestore in it triggers, a file will be either not be
> written to filestore (bug1), or may be written in a jumbled and
> sometimes incomplete fashion (bug2)?
> (bug2)
> In the other case (logs, files, and input pcap attached) it outputs 1
> binary for every binary that triggered the filestore rules, but some
> small percent of these binaries may be missing chunks, may have extra
> chunks, or may be written in a jumbled order. This is something I have
> been able to reliably reproduce, and have attached extensive debug
> logs for.

Bug confirmed, thanks.

Check https://redmine.openinfosecfoundation.org/issues/601, it contains
a patch too. Will test it some more before pushing it out.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list