[Oisf-users] How many of you use "filestore" ?
Travel Factory S.r.l.
mc8647 at mclink.it
Thu Apr 12 11:25:26 UTC 2012
I use filestore on a test network setup where traffic is generated by
one server and received by another and suricata correctly saves all
the files, also when the 1gbit switch is filled with data.
When I use filestore on the production network, I get incomplete
files. Bandwidth usage is way lower and I can't find the real reason I
get truncated files.
I may think to have two classes of problems, network and memory.
I can't see indications of memory problems in suricata stats.
For network, I have very strict flow timeouts... so my idea is that I
have some packets arriving late and triggering the timeout.
I did a test with a ibm repository that dumped a truncated file:
- used wget, always perfect dumped files
- used firefox, waiting a long time before confirming that we want to
save the file locally, always perfect dumped files
- used IE. When waiting for a long time before confirming the file
name, I get truncated files, actually about 160kb. If I confirm
quickly I get all the file.
So it may be a timeout problem when a human is at the console.
Can anybody confirm my findings ?
Francesco
More information about the Oisf-users
mailing list