[Oisf-users] Suricata 1.4 Meta Files and Data Files produced from File Extraction

Vincent Fang vincent.y.fang at gmail.com
Fri Jun 7 07:41:05 UTC 2013


We're trying to use the meta files and data files created by Suricata to
send data to one of our servers. However, we're running into an issue where
if we open a file too early that we get incomplete data either from the
data file or meta file. Note that we also have force-magic, MD5 hash, and
file extraction as the enabled states in our Suricata.yaml file.

What condition can we assume to be true so that we can open and read the
meta file and the data file safely without it being incomplete?

Using python as our scripting language to access those files, I assumed
that if the data file was done, that all the data in the meta file would be
complete as well, but I get scenarios where the MAGIC, STATE, MD5, and SIZE
were missing. I'm assuming this is because Suricata is calculating those
values from the data file, then reopening the meta file and adding those
last values in?


Vince
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130607/7a71fe86/attachment.html>


More information about the Oisf-users mailing list