[Oisf-devel] extracted to filestore may not always be original file

Victor Julien victor at inliniac.net
Mon Oct 29 14:52:13 UTC 2012

On 10/11/2012 11:35 PM, Kyle Creyts wrote:
> (bug1)
> I have had this happen to me repeatedly, but I can't reliably
> reproduce the circumstances; when it does happen, it will happen many
> times in a row:  suricata[2] drops roughly 1 out of every 3 of the
> files which should have been extracted due to filestore rules[3].
> When it does happen, all binaries output seem to be in order, but it
> seems to only output about 1/3 of the files which should have been
> extracted (as they triggered filestore rules).
> When it runs like this, I have noticed that many of the suricata
> workers jump to reading at about 15MB/s from disk for the duration of
> the run, and the run takes about 20s to complete on the attached pcap.
> Otherwise, it takes about 5s, and I don't see any major disk hit.

Can you share the rules you are testing with? Privately if you want.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list